Dedup Cache poisoning and Untrusted checkout

ql/src/Security/CWE-349/CachePoisoning.ql

@@ -41,7 +41,8 @@ where
     // the job writes to the cache
     // (No need to follow the checkout step as the cache writing is normally done after the job completes)
     j.getAStep() = s and
-    s instanceof CacheWritingStep
+    s instanceof CacheWritingStep and
+    not s instanceof PoisonableStep
     or
     // the job executes checked-out code
     // (The cache specific token can be leaked even for non-privileged workflows)

ql/test/query-tests/Security/CWE-349/.github/workflows/poc.yml

@@ -0,0 +1,63 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# Sample workflow for building and deploying a Jekyll site to GitHub Pages
+name: Deploy Jekyll site to Pages preview environment
+on:
+  # Runs on pull requests targeting the default branch
+  pull_request_target:
+    branches: ["main"]
+# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
+permissions:
+  contents: read
+  pages: write
+  id-token: write
+# Allow only one concurrent deployment per PR, skipping runs queued between the run in-progress and latest queued.
+# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
+concurrency:
+  group: 'pages-preview @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  cancel-in-progress: false
+jobs:
+  # Build job
+  build:
+    # Limit permissions of the GITHUB_TOKEN for untrusted code
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+        with:
+          # For PRs make sure to checkout the PR branch
+          ref: ${{ github.event.pull_request.head.ref }}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+      - name: Setup Pages
+        uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5
+      - name: Build with Jekyll
+        uses: actions/jekyll-build-pages@b178f9334b208360999a0a57b523613563698c66 # v1
+        with:
+          source: ./
+          destination: ./_site
+      - name: Upload artifact
+        # Automatically uploads an artifact from the './_site' directory by default
+        uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3
+  # Deployment job
+  deploy:
+    environment:
+      name: 'Pages Preview'
+      url: ${{ steps.deployment.outputs.page_url }}
+    # Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
+    permissions:
+      contents: read
+      pages: write
+      id-token: write
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4
+        with:
+          preview: 'true'

ql/test/query-tests/Security/CWE-349/.github/workflows/poc2.yml

@@ -0,0 +1,58 @@
+name: branch-deploy
+
+on:
+  issue_comment:
+    types: [created]
+
+# Permissions needed for reacting and adding comments for IssueOps commands
+permissions:
+  pull-requests: write
+  deployments: write
+  contents: write
+  checks: read
+
+jobs:
+  branch-deploy:
+    name: branch-deploy
+    if: # only run on pull request comments and very specific comment body string as defined in our branch-deploy settings
+      ${{ github.event.issue.pull_request &&
+      (startsWith(github.event.comment.body, '.deploy') ||
+      startsWith(github.event.comment.body, '.noop') ||
+      startsWith(github.event.comment.body, '.lock') ||
+      startsWith(github.event.comment.body, '.help') ||
+      startsWith(github.event.comment.body, '.wcid') ||
+      startsWith(github.event.comment.body, '.unlock')) }}
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: branch-deploy
+        id: branch-deploy
+        uses: github/branch-deploy@v9
+        with:
+          trigger: ".deploy"
+          environment: "production"
+          sticky_locks: "true" # https://github.com/github/branch-deploy/blob/1f6516ef5092890ce75d9e97ca7cbdb628e38bdd/docs/hubot-style-deployment-locks.md
+        
+      # Check out the ref from the output of the IssueOps command
+      - uses: actions/checkout@v4
+        if: ${{ steps.branch-deploy.outputs.continue == 'true' }}
+        with:
+          ref: ${{ steps.branch-deploy.outputs.ref }}
+
+      - uses: ruby/setup-ruby@d4526a55538b775af234ba4af27118ed6f8f6677 # pin@v1.172.0
+        if: ${{ steps.branch-deploy.outputs.continue == 'true' }}
+        with:
+          bundler-cache: true
+
+      - name: bootstrap
+        if: ${{ steps.branch-deploy.outputs.continue == 'true' }}
+        run: script/bootstrap
+
+      # Here we run a deploy. It is "gated" by the IssueOps logic and will only run if the outputs from our branch-deploy step indicate that the workflow should continue
+      - name: deploy
+        if: ${{ steps.branch-deploy.outputs.continue == 'true' && steps.branch-deploy.outputs.noop != 'true' }}
+        run: |
+          set -o pipefail
+          script/deploy | tee deploy.out
+          bundle exec ruby script/ci/render_deploy_message.rb
+          rm deploy.out

ql/test/query-tests/Security/CWE-349/.github/workflows/poc3.yml

@@ -0,0 +1,64 @@
+name: Publish
+
+on:
+  push:
+    branches:
+      - main
+  pull_request_target:
+  workflow_dispatch:
+  workflow_call:
+
+jobs:
+  build-and-upload:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+
+    - name: Checkout PR
+      if: ${{ github.event_name == 'pull_request_target' }}
+      uses: actions/checkout@v3
+      with:
+        ref: ${{ github.event.pull_request.head.ref }}
+        repository: ${{ github.event.pull_request.head.repo.full_name }}
+
+    - name: Checkout
+      if: ${{ github.event_name != 'pull_request_target' }}
+      uses: actions/checkout@v3
+      with:
+        ref: main
+    
+    - name: Setup Pages
+      uses: actions/configure-pages@v1
+    - name: Use Node.js
+      uses: actions/setup-node@v3
+      with:
+        node-version: 18
+        cache: npm
+    - name: Update npm to latest
+      run: npm i --prefer-online --no-fund --no-audit -g npm@latest
+    - run: npm -v
+    - run: npm i --ignore-scripts --no-audit --no-fund --package-lock
+    - run: npm run build -w www
+    - name: Upload artifact
+      uses: actions/upload-pages-artifact@v1
+      with:
+        path: './workspaces/www/build'
+
+  deploy:
+    runs-on: ubuntu-latest
+    needs: build-and-upload
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    permissions:
+      pages: write
+      id-token: write
+    outputs:
+      deployment_url: ${{ steps.deployment.outputs.page_url }}
+    steps:
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@v1
+        with:
+          preview: ${{ github.event_name == 'pull_request_target' }}

ql/test/query-tests/Security/CWE-349/CachePoisoning.expected

@@ -1,4 +1,56 @@
 edges
+| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:37:9:42:6 | Uses Step |
+| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:42:9:47:6 | Uses Step |
+| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:47:9:52:6 | Run Step |
+| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:52:9:58:24 | Run Step |
+| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step |
+| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:47:9:52:6 | Run Step |
+| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step |
+| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:47:9:52:6 | Run Step |
+| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step |
+| .github/workflows/poc2.yml:47:9:52:6 | Run Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step |
+| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:25:7:31:4 | Uses Step |
+| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:31:7:33:4 | Uses Step |
+| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step |
+| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step |
+| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step |
+| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step |
+| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step |
+| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step |
+| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:31:7:33:4 | Uses Step |
+| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step |
+| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step |
+| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step |
+| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step |
+| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step |
+| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step |
+| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step |
+| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step |
+| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step |
+| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step |
+| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step |
+| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step |
+| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step |
+| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step |
+| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step |
+| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step |
+| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step |
+| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step |
+| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step |
+| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step |
+| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step |
+| .github/workflows/poc3.yml:40:7:41:4 | Run Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step |
+| .github/workflows/poc3.yml:40:7:41:4 | Run Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step |
+| .github/workflows/poc3.yml:40:7:41:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step |
+| .github/workflows/poc3.yml:41:7:42:4 | Run Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step |
+| .github/workflows/poc3.yml:41:7:42:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step |
+| .github/workflows/poc3.yml:42:7:43:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step |
+| .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:36:9:38:6 | Uses Step |
+| .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step |
+| .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:43:9:47:2 | Uses Step |
+| .github/workflows/poc.yml:36:9:38:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step |
+| .github/workflows/poc.yml:36:9:38:6 | Uses Step | .github/workflows/poc.yml:43:9:47:2 | Uses Step |
+| .github/workflows/poc.yml:38:9:43:6 | Uses Step | .github/workflows/poc.yml:43:9:47:2 | Uses Step |
 | .github/workflows/test1.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/test1.yml:13:9:18:6 | Uses Step |
 | .github/workflows/test1.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/test1.yml:18:9:22:6 | Uses Step |
 | .github/workflows/test1.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/test1.yml:22:9:23:21 | Run Step |
@@ -104,6 +156,11 @@ edges
 | .github/workflows/test20.yml:41:7:42:4 | Run Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step |
 | .github/workflows/test20.yml:42:7:43:4 | Run Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step |
 #select
+| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | Potential cache poisoning in the context of the default branch |
+| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | Potential cache poisoning in the context of the default branch |
+| .github/workflows/poc3.yml:41:7:42:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | Potential cache poisoning in the context of the default branch |
+| .github/workflows/poc3.yml:42:7:43:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | Potential cache poisoning in the context of the default branch |
+| .github/workflows/poc.yml:38:9:43:6 | Uses Step | .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step | Potential cache poisoning in the context of the default branch |
 | .github/workflows/test1.yml:18:9:22:6 | Uses Step | .github/workflows/test1.yml:13:9:18:6 | Uses Step | .github/workflows/test1.yml:18:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branch |
 | .github/workflows/test2.yml:14:9:18:6 | Uses Step | .github/workflows/test2.yml:11:9:14:6 | Uses Step | .github/workflows/test2.yml:14:9:18:6 | Uses Step | Potential cache poisoning in the context of the default branch |
 | .github/workflows/test3.yml:14:9:22:6 | Uses Step | .github/workflows/test3.yml:11:9:14:6 | Uses Step | .github/workflows/test3.yml:14:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branch |

ql/test/query-tests/Security/CWE-829/.github/workflows/poc.yml

@@ -0,0 +1,63 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# Sample workflow for building and deploying a Jekyll site to GitHub Pages
+name: Deploy Jekyll site to Pages preview environment
+on:
+  # Runs on pull requests targeting the default branch
+  pull_request_target:
+    branches: ["main"]
+# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
+permissions:
+  contents: read
+  pages: write
+  id-token: write
+# Allow only one concurrent deployment per PR, skipping runs queued between the run in-progress and latest queued.
+# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
+concurrency:
+  group: 'pages-preview @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  cancel-in-progress: false
+jobs:
+  # Build job
+  build:
+    # Limit permissions of the GITHUB_TOKEN for untrusted code
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+        with:
+          # For PRs make sure to checkout the PR branch
+          ref: ${{ github.event.pull_request.head.ref }}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+      - name: Setup Pages
+        uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5
+      - name: Build with Jekyll
+        uses: actions/jekyll-build-pages@b178f9334b208360999a0a57b523613563698c66 # v1
+        with:
+          source: ./
+          destination: ./_site
+      - name: Upload artifact
+        # Automatically uploads an artifact from the './_site' directory by default
+        uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3
+  # Deployment job
+  deploy:
+    environment:
+      name: 'Pages Preview'
+      url: ${{ steps.deployment.outputs.page_url }}
+    # Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
+    permissions:
+      contents: read
+      pages: write
+      id-token: write
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4
+        with:
+          preview: 'true'

ql/test/query-tests/Security/CWE-829/.github/workflows/poc2.yml

@@ -0,0 +1,58 @@
+name: branch-deploy
+
+on:
+  issue_comment:
+    types: [created]
+
+# Permissions needed for reacting and adding comments for IssueOps commands
+permissions:
+  pull-requests: write
+  deployments: write
+  contents: write
+  checks: read
+
+jobs:
+  branch-deploy:
+    name: branch-deploy
+    if: # only run on pull request comments and very specific comment body string as defined in our branch-deploy settings
+      ${{ github.event.issue.pull_request &&
+      (startsWith(github.event.comment.body, '.deploy') ||
+      startsWith(github.event.comment.body, '.noop') ||
+      startsWith(github.event.comment.body, '.lock') ||
+      startsWith(github.event.comment.body, '.help') ||
+      startsWith(github.event.comment.body, '.wcid') ||
+      startsWith(github.event.comment.body, '.unlock')) }}
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: branch-deploy
+        id: branch-deploy
+        uses: github/branch-deploy@v9
+        with:
+          trigger: ".deploy"
+          environment: "production"
+          sticky_locks: "true" # https://github.com/github/branch-deploy/blob/1f6516ef5092890ce75d9e97ca7cbdb628e38bdd/docs/hubot-style-deployment-locks.md
+        
+      # Check out the ref from the output of the IssueOps command
+      - uses: actions/checkout@v4
+        if: ${{ steps.branch-deploy.outputs.continue == 'true' }}
+        with:
+          ref: ${{ steps.branch-deploy.outputs.ref }}
+
+      - uses: ruby/setup-ruby@d4526a55538b775af234ba4af27118ed6f8f6677 # pin@v1.172.0
+        if: ${{ steps.branch-deploy.outputs.continue == 'true' }}
+        with:
+          bundler-cache: true
+
+      - name: bootstrap
+        if: ${{ steps.branch-deploy.outputs.continue == 'true' }}
+        run: script/bootstrap
+
+      # Here we run a deploy. It is "gated" by the IssueOps logic and will only run if the outputs from our branch-deploy step indicate that the workflow should continue
+      - name: deploy
+        if: ${{ steps.branch-deploy.outputs.continue == 'true' && steps.branch-deploy.outputs.noop != 'true' }}
+        run: |
+          set -o pipefail
+          script/deploy | tee deploy.out
+          bundle exec ruby script/ci/render_deploy_message.rb
+          rm deploy.out

ql/test/query-tests/Security/CWE-829/.github/workflows/poc3.yml

@@ -0,0 +1,64 @@
+name: Publish
+
+on:
+  push:
+    branches:
+      - main
+  pull_request_target:
+  workflow_dispatch:
+  workflow_call:
+
+jobs:
+  build-and-upload:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+
+    - name: Checkout PR
+      if: ${{ github.event_name == 'pull_request_target' }}
+      uses: actions/checkout@v3
+      with:
+        ref: ${{ github.event.pull_request.head.ref }}
+        repository: ${{ github.event.pull_request.head.repo.full_name }}
+
+    - name: Checkout
+      if: ${{ github.event_name != 'pull_request_target' }}
+      uses: actions/checkout@v3
+      with:
+        ref: main
+    
+    - name: Setup Pages
+      uses: actions/configure-pages@v1
+    - name: Use Node.js
+      uses: actions/setup-node@v3
+      with:
+        node-version: 18
+        cache: npm
+    - name: Update npm to latest
+      run: npm i --prefer-online --no-fund --no-audit -g npm@latest
+    - run: npm -v
+    - run: npm i --ignore-scripts --no-audit --no-fund --package-lock
+    - run: npm run build -w www
+    - name: Upload artifact
+      uses: actions/upload-pages-artifact@v1
+      with:
+        path: './workspaces/www/build'
+
+  deploy:
+    runs-on: ubuntu-latest
+    needs: build-and-upload
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    permissions:
+      pages: write
+      id-token: write
+    outputs:
+      deployment_url: ${{ steps.deployment.outputs.page_url }}
+    steps:
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@v1
+        with:
+          preview: ${{ github.event_name == 'pull_request_target' }}

ql/test/query-tests/Security/CWE-829/.github/workflows/test.yml

@@ -0,0 +1,37 @@
+name: Tests
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  tests:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Fetch CodeQL
+        shell: bash
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        run: |
+          gh extension install github/gh-codeql
+          gh codeql set-channel "nightly"
+          gh codeql version
+          printf "CODEQL_FETCHED_CODEQL_PATH=" >> "${GITHUB_ENV}"
+          gh codeql version --format=json | jq -r .unpackedLocation >> "${GITHUB_ENV}"
+          gh codeql version --format=json | jq -r .unpackedLocation >> "${GITHUB_PATH}"
+      - name: Install Packs
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        run: |
+          gh repo clone github/codeql
+          codeql pack install "ql/lib"
+          codeql pack install "ql/src"
+          codeql pack install "ql/test"
+      - name: Run Tests
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        run: |
+          codeql test run ql/test

ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected

@@ -198,6 +198,58 @@ edges
 | .github/workflows/mend.yml:13:9:22:6 | Run Step: set_ref | .github/workflows/mend.yml:22:9:29:6 | Uses Step |
 | .github/workflows/mend.yml:13:9:22:6 | Run Step: set_ref | .github/workflows/mend.yml:29:9:33:28 | Uses Step |
 | .github/workflows/mend.yml:22:9:29:6 | Uses Step | .github/workflows/mend.yml:29:9:33:28 | Uses Step |
+| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:37:9:42:6 | Uses Step |
+| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:42:9:47:6 | Uses Step |
+| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:47:9:52:6 | Run Step |
+| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:52:9:58:24 | Run Step |
+| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step |
+| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:47:9:52:6 | Run Step |
+| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step |
+| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:47:9:52:6 | Run Step |
+| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step |
+| .github/workflows/poc2.yml:47:9:52:6 | Run Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step |
+| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:25:7:31:4 | Uses Step |
+| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:31:7:33:4 | Uses Step |
+| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step |
+| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step |
+| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step |
+| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step |
+| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step |
+| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step |
+| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:31:7:33:4 | Uses Step |
+| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step |
+| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step |
+| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step |
+| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step |
+| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step |
+| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step |
+| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step |
+| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step |
+| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step |
+| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step |
+| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step |
+| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step |
+| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step |
+| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step |
+| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step |
+| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step |
+| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step |
+| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step |
+| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step |
+| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step |
+| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step |
+| .github/workflows/poc3.yml:40:7:41:4 | Run Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step |
+| .github/workflows/poc3.yml:40:7:41:4 | Run Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step |
+| .github/workflows/poc3.yml:40:7:41:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step |
+| .github/workflows/poc3.yml:41:7:42:4 | Run Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step |
+| .github/workflows/poc3.yml:41:7:42:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step |
+| .github/workflows/poc3.yml:42:7:43:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step |
+| .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:36:9:38:6 | Uses Step |
+| .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step |
+| .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:43:9:47:2 | Uses Step |
+| .github/workflows/poc.yml:36:9:38:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step |
+| .github/workflows/poc.yml:36:9:38:6 | Uses Step | .github/workflows/poc.yml:43:9:47:2 | Uses Step |
+| .github/workflows/poc.yml:38:9:43:6 | Uses Step | .github/workflows/poc.yml:43:9:47:2 | Uses Step |
 | .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | .github/workflows/priv_pull_request_checkout.yml:20:9:23:52 | Run Step |
 | .github/workflows/test1.yml:18:9:21:6 | Uses Step | .github/workflows/test1.yml:21:9:24:6 | Run Step |
 | .github/workflows/test1.yml:18:9:21:6 | Uses Step | .github/workflows/test1.yml:24:9:25:39 | Run Step |
@@ -242,6 +294,12 @@ edges
 | .github/workflows/test4.yml:41:7:42:4 | Run Step | .github/workflows/test4.yml:42:7:43:4 | Run Step |
 | .github/workflows/test4.yml:41:7:42:4 | Run Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step |
 | .github/workflows/test4.yml:42:7:43:4 | Run Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step |
+| .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:14:9:25:6 | Run Step |
+| .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:25:9:33:6 | Run Step |
+| .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:33:9:37:34 | Run Step |
+| .github/workflows/test.yml:14:9:25:6 | Run Step | .github/workflows/test.yml:25:9:33:6 | Run Step |
+| .github/workflows/test.yml:14:9:25:6 | Run Step | .github/workflows/test.yml:33:9:37:34 | Run Step |
+| .github/workflows/test.yml:25:9:33:6 | Run Step | .github/workflows/test.yml:33:9:37:34 | Run Step |
 | .github/workflows/unpinned_tags.yml:9:7:10:4 | Uses Step | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step |
 | .github/workflows/unpinned_tags.yml:9:7:10:4 | Uses Step | .github/workflows/unpinned_tags.yml:11:7:11:61 | Uses Step |
 | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | .github/workflows/unpinned_tags.yml:11:7:11:61 | Uses Step |
@@ -261,5 +319,7 @@ edges
 | .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. |
 | .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. |
 | .github/workflows/mend.yml:29:9:33:28 | Uses Step | .github/workflows/mend.yml:22:9:29:6 | Uses Step | .github/workflows/mend.yml:29:9:33:28 | Uses Step | Potential unsafe checkout of untrusted code on a privileged workflow. |
+| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Potential unsafe checkout of untrusted code on a privileged workflow. |
+| .github/workflows/poc2.yml:52:9:58:24 | Run Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. |
 | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. |
 | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. |

ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected

@@ -1,5 +1,7 @@
 | .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
 | .github/workflows/dependabot1.yml:39:9:43:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
+| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
+| .github/workflows/poc.yml:30:9:36:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
 | .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
 | .github/workflows/test3.yml:28:9:33:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
 | .github/workflows/test4.yml:18:7:25:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |