mirror of
https://github.com/github/codeql.git
synced 2026-04-25 16:55:19 +02:00
JS: Remove js/actions/command-injection
Superseded by actions/command-injection/{medium,critical}
This commit is contained in:
Asger F
@@ -1,56 +0,0 @@
|
||||
<!DOCTYPE qhelp PUBLIC
|
||||
"-//Semmle//qhelp//EN"
|
||||
"qhelp.dtd">
|
||||
<qhelp>
|
||||
<overview>
|
||||
<p>
|
||||
Using user-controlled input in GitHub Actions may lead to
|
||||
code injection in contexts like <i>run:</i> or <i>script:</i>.
|
||||
</p>
|
||||
<p>
|
||||
Code injection in GitHub Actions may allow an attacker to
|
||||
exfiltrate any secrets used in the workflow and
|
||||
the temporary GitHub repository authorization token.
|
||||
The token might have write access to the repository, allowing an attacker
|
||||
to use the token to make changes to the repository.
|
||||
</p>
|
||||
</overview>
|
||||
|
||||
<recommendation>
|
||||
<p>
|
||||
The best practice to avoid code injection vulnerabilities
|
||||
in GitHub workflows is to set the untrusted input value of the expression
|
||||
to an intermediate environment variable and then use the environment variable
|
||||
using the native syntax of the shell/script interpreter (that is, not <i>${{ env.VAR }}</i>).
|
||||
</p>
|
||||
<p>
|
||||
It is also recommended to limit the permissions of any tokens used
|
||||
by a workflow such as the GITHUB_TOKEN.
|
||||
</p>
|
||||
</recommendation>
|
||||
|
||||
<example>
|
||||
<p>
|
||||
The following example lets a user inject an arbitrary shell command:
|
||||
</p>
|
||||
<sample src="examples/comment_issue_bad.yml" />
|
||||
|
||||
<p>
|
||||
The following example uses an environment variable, but
|
||||
<b>still allows the injection</b> because of the use of expression syntax:
|
||||
</p>
|
||||
<sample src="examples/comment_issue_bad_env.yml" />
|
||||
|
||||
<p>
|
||||
The following example uses shell syntax to read
|
||||
the environment variable and will prevent the attack:
|
||||
</p>
|
||||
<sample src="examples/comment_issue_good.yml" />
|
||||
</example>
|
||||
|
||||
<references>
|
||||
<li>GitHub Security Lab Research: <a href="https://securitylab.github.com/research/github-actions-untrusted-input">Keeping your GitHub Actions and workflows secure: Untrusted input</a>.</li>
|
||||
<li>GitHub Docs: <a href="https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions">Security hardening for GitHub Actions</a>.</li>
|
||||
<li>GitHub Docs: <a href="https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token">Permissions for the GITHUB_TOKEN</a>.</li>
|
||||
</references>
|
||||
</qhelp>
|
||||
@@ -1,270 +0,0 @@
|
||||
/**
|
||||
* @name Expression injection in Actions
|
||||
* @description Using user-controlled GitHub Actions contexts like `run:` or `script:` may allow a malicious
|
||||
* user to inject code into the GitHub action.
|
||||
* @kind problem
|
||||
* @problem.severity warning
|
||||
* @security-severity 9.3
|
||||
* @precision high
|
||||
* @id js/actions/command-injection
|
||||
* @tags actions
|
||||
* security
|
||||
* external/cwe/cwe-094
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.Actions
|
||||
|
||||
/**
|
||||
* A `script:` field within an Actions `with:` specific to `actions/github-script` action.
|
||||
*
|
||||
* For example:
|
||||
* ```
|
||||
* uses: actions/github-script@v3
|
||||
* with:
|
||||
* script: console.log('${{ github.event.pull_request.head.sha }}')
|
||||
* ```
|
||||
*/
|
||||
class GitHubScript extends YamlNode, YamlString {
|
||||
GitHubScriptWith with;
|
||||
|
||||
GitHubScript() { with.lookup("script") = this }
|
||||
|
||||
/** Gets the `with` field this field belongs to. */
|
||||
GitHubScriptWith getWith() { result = with }
|
||||
}
|
||||
|
||||
/**
|
||||
* A step that uses `actions/github-script` action.
|
||||
*/
|
||||
class GitHubScriptStep extends Actions::Step {
|
||||
GitHubScriptStep() { this.getUses().getGitHubRepository() = "actions/github-script" }
|
||||
}
|
||||
|
||||
/**
|
||||
* A `with:` field sibling to `uses: actions/github-script`.
|
||||
*/
|
||||
class GitHubScriptWith extends YamlNode, YamlMapping {
|
||||
GitHubScriptStep step;
|
||||
|
||||
GitHubScriptWith() { step.lookup("with") = this }
|
||||
|
||||
/** Gets the step this field belongs to. */
|
||||
GitHubScriptStep getStep() { result = step }
|
||||
}
|
||||
|
||||
bindingset[context]
|
||||
private predicate isExternalUserControlledIssue(string context) {
|
||||
context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*issue\\s*\\.\\s*title\\b") or
|
||||
context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*issue\\s*\\.\\s*body\\b")
|
||||
}
|
||||
|
||||
bindingset[context]
|
||||
private predicate isExternalUserControlledPullRequest(string context) {
|
||||
exists(string reg |
|
||||
reg =
|
||||
[
|
||||
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*title\\b",
|
||||
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*body\\b",
|
||||
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*head\\s*\\.\\s*label\\b",
|
||||
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*head\\s*\\.\\s*repo\\s*\\.\\s*default_branch\\b",
|
||||
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*head\\s*\\.\\s*repo\\s*\\.\\s*description\\b",
|
||||
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*head\\s*\\.\\s*repo\\s*\\.\\s*homepage\\b",
|
||||
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*head\\s*\\.\\s*ref\\b",
|
||||
"\\bgithub\\s*\\.\\s*head_ref\\b"
|
||||
]
|
||||
|
|
||||
context.regexpMatch(reg)
|
||||
)
|
||||
}
|
||||
|
||||
bindingset[context]
|
||||
private predicate isExternalUserControlledReview(string context) {
|
||||
context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*review\\s*\\.\\s*body\\b")
|
||||
}
|
||||
|
||||
bindingset[context]
|
||||
private predicate isExternalUserControlledComment(string context) {
|
||||
context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*comment\\s*\\.\\s*body\\b")
|
||||
}
|
||||
|
||||
bindingset[context]
|
||||
private predicate isExternalUserControlledGollum(string context) {
|
||||
context
|
||||
.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pages\\[[0-9]+\\]\\s*\\.\\s*page_name\\b") or
|
||||
context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pages\\[[0-9]+\\]\\s*\\.\\s*title\\b")
|
||||
}
|
||||
|
||||
bindingset[context]
|
||||
private predicate isExternalUserControlledCommit(string context) {
|
||||
exists(string reg |
|
||||
reg =
|
||||
[
|
||||
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*commits\\[[0-9]+\\]\\s*\\.\\s*message\\b",
|
||||
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*head_commit\\s*\\.\\s*message\\b",
|
||||
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*head_commit\\s*\\.\\s*author\\s*\\.\\s*email\\b",
|
||||
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*head_commit\\s*\\.\\s*author\\s*\\.\\s*name\\b",
|
||||
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*head_commit\\s*\\.\\s*committer\\s*\\.\\s*email\\b",
|
||||
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*head_commit\\s*\\.\\s*committer\\s*\\.\\s*name\\b",
|
||||
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*commits\\[[0-9]+\\]\\s*\\.\\s*author\\s*\\.\\s*email\\b",
|
||||
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*commits\\[[0-9]+\\]\\s*\\.\\s*author\\s*\\.\\s*name\\b",
|
||||
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*commits\\[[0-9]+\\]\\s*\\.\\s*committer\\s*\\.\\s*email\\b",
|
||||
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*commits\\[[0-9]+\\]\\s*\\.\\s*committer\\s*\\.\\s*name\\b",
|
||||
]
|
||||
|
|
||||
context.regexpMatch(reg)
|
||||
)
|
||||
}
|
||||
|
||||
bindingset[context]
|
||||
private predicate isExternalUserControlledDiscussion(string context) {
|
||||
context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*discussion\\s*\\.\\s*title\\b") or
|
||||
context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*discussion\\s*\\.\\s*body\\b")
|
||||
}
|
||||
|
||||
bindingset[context]
|
||||
private predicate isExternalUserControlledWorkflowRun(string context) {
|
||||
exists(string reg |
|
||||
reg =
|
||||
[
|
||||
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*head_branch\\b",
|
||||
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*display_title\\b",
|
||||
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*head_repository\\b\\s*\\.\\s*description\\b",
|
||||
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*head_commit\\b\\s*\\.\\s*message\\b",
|
||||
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*head_commit\\b\\s*\\.\\s*author\\b\\s*\\.\\s*email\\b",
|
||||
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*head_commit\\b\\s*\\.\\s*author\\b\\s*\\.\\s*name\\b",
|
||||
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*head_commit\\b\\s*\\.\\s*committer\\b\\s*\\.\\s*email\\b",
|
||||
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*head_commit\\b\\s*\\.\\s*committer\\b\\s*\\.\\s*name\\b",
|
||||
]
|
||||
|
|
||||
context.regexpMatch(reg)
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if environment name in the `injection` (in a form of `env.name`)
|
||||
* is tainted by the `context` (in a form of `github.event.xxx.xxx`).
|
||||
*/
|
||||
bindingset[injection]
|
||||
predicate isEnvInterpolationTainted(string injection, string context) {
|
||||
exists(Actions::Env env, string envName, YamlString envValue |
|
||||
envValue = env.lookup(envName) and
|
||||
Actions::getEnvName(injection) = envName and
|
||||
Actions::getASimpleReferenceExpression(envValue) = context
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if the `run` contains any expression interpolation `${{ e }}`.
|
||||
* Sets `context` to the initial untrusted value assignment in case of `${{ env... }}` interpolation
|
||||
*/
|
||||
predicate isRunInjectable(Actions::Run run, string injection, string context) {
|
||||
Actions::getASimpleReferenceExpression(run) = injection and
|
||||
(
|
||||
injection = context
|
||||
or
|
||||
isEnvInterpolationTainted(injection, context)
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if the `actions/github-script` contains any expression interpolation `${{ e }}`.
|
||||
* Sets `context` to the initial untrusted value assignment in case of `${{ env... }}` interpolation
|
||||
*/
|
||||
predicate isScriptInjectable(GitHubScript script, string injection, string context) {
|
||||
Actions::getASimpleReferenceExpression(script) = injection and
|
||||
(
|
||||
injection = context
|
||||
or
|
||||
isEnvInterpolationTainted(injection, context)
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if the composite action contains untrusted expression interpolation `${{ e }}`.
|
||||
*/
|
||||
YamlNode getInjectableCompositeActionNode(Actions::Runs runs, string injection, string context) {
|
||||
exists(Actions::Run run |
|
||||
isRunInjectable(run, injection, context) and
|
||||
result = run and
|
||||
run.getStep().getRuns() = runs
|
||||
)
|
||||
or
|
||||
exists(GitHubScript script |
|
||||
isScriptInjectable(script, injection, context) and
|
||||
result = script and
|
||||
script.getWith().getStep().getRuns() = runs
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if the workflow contains untrusted expression interpolation `${{ e }}`.
|
||||
*/
|
||||
YamlNode getInjectableWorkflowNode(Actions::On on, string injection, string context) {
|
||||
exists(Actions::Run run |
|
||||
isRunInjectable(run, injection, context) and
|
||||
result = run and
|
||||
run.getStep().getJob().getWorkflow().getOn() = on
|
||||
)
|
||||
or
|
||||
exists(GitHubScript script |
|
||||
isScriptInjectable(script, injection, context) and
|
||||
result = script and
|
||||
script.getWith().getStep().getJob().getWorkflow().getOn() = on
|
||||
)
|
||||
}
|
||||
|
||||
from YamlNode node, string injection, string context
|
||||
where
|
||||
exists(Actions::CompositeAction action, Actions::Runs runs |
|
||||
action.getRuns() = runs and
|
||||
node = getInjectableCompositeActionNode(runs, injection, context) and
|
||||
(
|
||||
isExternalUserControlledIssue(context) or
|
||||
isExternalUserControlledPullRequest(context) or
|
||||
isExternalUserControlledReview(context) or
|
||||
isExternalUserControlledComment(context) or
|
||||
isExternalUserControlledGollum(context) or
|
||||
isExternalUserControlledCommit(context) or
|
||||
isExternalUserControlledDiscussion(context) or
|
||||
isExternalUserControlledWorkflowRun(context)
|
||||
)
|
||||
)
|
||||
or
|
||||
exists(Actions::On on |
|
||||
node = getInjectableWorkflowNode(on, injection, context) and
|
||||
(
|
||||
exists(on.getNode("issues")) and
|
||||
isExternalUserControlledIssue(context)
|
||||
or
|
||||
exists(on.getNode("pull_request_target")) and
|
||||
isExternalUserControlledPullRequest(context)
|
||||
or
|
||||
exists(on.getNode("pull_request_review")) and
|
||||
(isExternalUserControlledReview(context) or isExternalUserControlledPullRequest(context))
|
||||
or
|
||||
exists(on.getNode("pull_request_review_comment")) and
|
||||
(isExternalUserControlledComment(context) or isExternalUserControlledPullRequest(context))
|
||||
or
|
||||
exists(on.getNode("issue_comment")) and
|
||||
(isExternalUserControlledComment(context) or isExternalUserControlledIssue(context))
|
||||
or
|
||||
exists(on.getNode("gollum")) and
|
||||
isExternalUserControlledGollum(context)
|
||||
or
|
||||
exists(on.getNode("push")) and
|
||||
isExternalUserControlledCommit(context)
|
||||
or
|
||||
exists(on.getNode("discussion")) and
|
||||
isExternalUserControlledDiscussion(context)
|
||||
or
|
||||
exists(on.getNode("discussion_comment")) and
|
||||
(isExternalUserControlledDiscussion(context) or isExternalUserControlledComment(context))
|
||||
or
|
||||
exists(on.getNode("workflow_run")) and
|
||||
isExternalUserControlledWorkflowRun(context)
|
||||
)
|
||||
)
|
||||
select node,
|
||||
"Potential injection from the ${{ " + injection +
|
||||
" }}, which may be controlled by an external user."
|
||||
@@ -1,8 +0,0 @@
|
||||
on: issue_comment
|
||||
|
||||
jobs:
|
||||
echo-body:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- run: |
|
||||
echo '${{ github.event.comment.body }}'
|
||||
@@ -1,10 +0,0 @@
|
||||
on: issue_comment
|
||||
|
||||
jobs:
|
||||
echo-body:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- env:
|
||||
BODY: ${{ github.event.issue.body }}
|
||||
run: |
|
||||
echo '${{ env.BODY }}'
|
||||
@@ -1,10 +0,0 @@
|
||||
on: issue_comment
|
||||
|
||||
jobs:
|
||||
echo-body:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- env:
|
||||
BODY: ${{ github.event.issue.body }}
|
||||
run: |
|
||||
echo "$BODY"
|
||||
@@ -1,28 +0,0 @@
|
||||
on: issue_comment
|
||||
|
||||
jobs:
|
||||
echo-chamber:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- run: |
|
||||
echo '${{ github.event.comment.body }}'
|
||||
|
||||
echo-chamber2:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- run: echo '${{ github.event.comment.body }}'
|
||||
- run: echo '${{ github.event.issue.body }}'
|
||||
- run: echo '${{ github.event.issue.title }}'
|
||||
|
||||
echo-chamber3:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/github-script@v3
|
||||
with:
|
||||
script: console.log('${{ github.event.comment.body }}')
|
||||
- uses: actions/github-script@v3
|
||||
with:
|
||||
script: console.log('${{ github.event.issue.body }}')
|
||||
- uses: actions/github-script@v3
|
||||
with:
|
||||
script: console.log('${{ github.event.issue.title }}')
|
||||
@@ -1,10 +0,0 @@
|
||||
on: issue_comment
|
||||
|
||||
# same as comment_issue but this file ends with a line break
|
||||
|
||||
jobs:
|
||||
echo-chamber:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- run: |
|
||||
echo '${{ github.event.comment.body }}'
|
||||
@@ -1,8 +0,0 @@
|
||||
on: discussion
|
||||
|
||||
jobs:
|
||||
echo-chamber:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- run: echo '${{ github.event.discussion.title }}'
|
||||
- run: echo '${{ github.event.discussion.body }}'
|
||||
@@ -1,9 +0,0 @@
|
||||
on: discussion_comment
|
||||
|
||||
jobs:
|
||||
echo-chamber:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- run: echo '${{ github.event.discussion.title }}'
|
||||
- run: echo '${{ github.event.discussion.body }}'
|
||||
- run: echo '${{ github.event.comment.body }}'
|
||||
@@ -1,11 +0,0 @@
|
||||
on: gollum
|
||||
|
||||
jobs:
|
||||
echo-chamber:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- run: echo '${{ github.event.pages[1].title }}'
|
||||
- run: echo '${{ github.event.pages[11].title }}'
|
||||
- run: echo '${{ github.event.pages[0].page_name }}'
|
||||
- run: echo '${{ github.event.pages[2222].page_name }}'
|
||||
- run: echo '${{ toJSON(github.event.pages.*.title) }}' # safe
|
||||
@@ -1,20 +0,0 @@
|
||||
on: issues
|
||||
|
||||
env:
|
||||
global_env: ${{ github.event.issue.title }}
|
||||
test: test
|
||||
|
||||
jobs:
|
||||
echo-chamber:
|
||||
env:
|
||||
job_env: ${{ github.event.issue.title }}
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- run: echo '${{ github.event.issue.title }}'
|
||||
- run: echo '${{ github.event.issue.body }}'
|
||||
- run: echo '${{ env.global_env }}'
|
||||
- run: echo '${{ env.test }}'
|
||||
- run: echo '${{ env.job_env }}'
|
||||
- run: echo '${{ env.step_env }}'
|
||||
env:
|
||||
step_env: ${{ github.event.issue.title }}
|
||||
@@ -1,14 +0,0 @@
|
||||
on: pull_request_review
|
||||
|
||||
jobs:
|
||||
echo-chamber:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- run: echo '${{ github.event.pull_request.title }}'
|
||||
- run: echo '${{ github.event.pull_request.body }}'
|
||||
- run: echo '${{ github.event.pull_request.head.label }}'
|
||||
- run: echo '${{ github.event.pull_request.head.repo.default_branch }}'
|
||||
- run: echo '${{ github.event.pull_request.head.repo.description }}'
|
||||
- run: echo '${{ github.event.pull_request.head.repo.homepage }}'
|
||||
- run: echo '${{ github.event.pull_request.head.ref }}'
|
||||
- run: echo '${{ github.event.review.body }}'
|
||||
@@ -1,14 +0,0 @@
|
||||
on: pull_request_review_comment
|
||||
|
||||
jobs:
|
||||
echo-chamber:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- run: echo '${{ github.event.pull_request.title }}'
|
||||
- run: echo '${{ github.event.pull_request.body }}'
|
||||
- run: echo '${{ github.event.pull_request.head.label }}'
|
||||
- run: echo '${{ github.event.pull_request.head.repo.default_branch }}'
|
||||
- run: echo '${{ github.event.pull_request.head.repo.description }}'
|
||||
- run: echo '${{ github.event.pull_request.head.repo.homepage }}'
|
||||
- run: echo '${{ github.event.pull_request.head.ref }}'
|
||||
- run: echo '${{ github.event.comment.body }}'
|
||||
@@ -1,16 +0,0 @@
|
||||
on: pull_request_target
|
||||
|
||||
jobs:
|
||||
echo-chamber:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- run: echo '${{ github.event.issue.title }}' # not defined
|
||||
- run: echo '${{ github.event.issue.body }}' # not defined
|
||||
- run: echo '${{ github.event.pull_request.title }}'
|
||||
- run: echo '${{ github.event.pull_request.body }}'
|
||||
- run: echo '${{ github.event.pull_request.head.label }}'
|
||||
- run: echo '${{ github.event.pull_request.head.repo.default_branch }}'
|
||||
- run: echo '${{ github.event.pull_request.head.repo.description }}'
|
||||
- run: echo '${{ github.event.pull_request.head.repo.homepage }}'
|
||||
- run: echo '${{ github.event.pull_request.head.ref }}'
|
||||
- run: echo '${{ github.head_ref }}'
|
||||
@@ -1,16 +0,0 @@
|
||||
on: push
|
||||
|
||||
jobs:
|
||||
echo-chamber:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- run: echo '${{ github.event.commits[11].message }}'
|
||||
- run: echo '${{ github.event.commits[11].author.email }}'
|
||||
- run: echo '${{ github.event.commits[11].author.name }}'
|
||||
- run: echo '${{ github.event.head_commit.message }}'
|
||||
- run: echo '${{ github.event.head_commit.author.email }}'
|
||||
- run: echo '${{ github.event.head_commit.author.name }}'
|
||||
- run: echo '${{ github.event.head_commit.committer.email }}'
|
||||
- run: echo '${{ github.event.head_commit.committer.name }}'
|
||||
- run: echo '${{ github.event.commits[11].committer.email }}'
|
||||
- run: echo '${{ github.event.commits[11].committer.name }}'
|
||||
@@ -1,16 +0,0 @@
|
||||
on:
|
||||
workflow_run:
|
||||
workflows: [test]
|
||||
|
||||
jobs:
|
||||
echo-chamber:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- run: echo '${{ github.event.workflow_run.display_title }}'
|
||||
- run: echo '${{ github.event.workflow_run.head_commit.message }}'
|
||||
- run: echo '${{ github.event.workflow_run.head_commit.author.email }}'
|
||||
- run: echo '${{ github.event.workflow_run.head_commit.author.name }}'
|
||||
- run: echo '${{ github.event.workflow_run.head_commit.committer.email }}'
|
||||
- run: echo '${{ github.event.workflow_run.head_commit.committer.name }}'
|
||||
- run: echo '${{ github.event.workflow_run.head_branch }}'
|
||||
- run: echo '${{ github.event.workflow_run.head_repository.description }}'
|
||||
@@ -1,65 +0,0 @@
|
||||
| .github/workflows/comment_issue.yml:7:12:8:48 | \| | Potential injection from the ${{ github.event.comment.body }}, which may be controlled by an external user. |
|
||||
| .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | Potential injection from the ${{ github.event.comment.body }}, which may be controlled by an external user. |
|
||||
| .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | Potential injection from the ${{ github.event.issue.body }}, which may be controlled by an external user. |
|
||||
| .github/workflows/comment_issue.yml:15:12:15:49 | echo '$ ... tle }}' | Potential injection from the ${{ github.event.issue.title }}, which may be controlled by an external user. |
|
||||
| .github/workflows/comment_issue.yml:22:17:22:63 | console ... dy }}') | Potential injection from the ${{ github.event.comment.body }}, which may be controlled by an external user. |
|
||||
| .github/workflows/comment_issue.yml:25:17:25:61 | console ... dy }}') | Potential injection from the ${{ github.event.issue.body }}, which may be controlled by an external user. |
|
||||
| .github/workflows/comment_issue.yml:28:17:28:62 | console ... le }}') | Potential injection from the ${{ github.event.issue.title }}, which may be controlled by an external user. |
|
||||
| .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | Potential injection from the ${{ github.event.comment.body }}, which may be controlled by an external user. |
|
||||
| .github/workflows/discussion.yml:7:12:7:54 | echo '$ ... tle }}' | Potential injection from the ${{ github.event.discussion.title }}, which may be controlled by an external user. |
|
||||
| .github/workflows/discussion.yml:8:12:8:53 | echo '$ ... ody }}' | Potential injection from the ${{ github.event.discussion.body }}, which may be controlled by an external user. |
|
||||
| .github/workflows/discussion_comment.yml:7:12:7:54 | echo '$ ... tle }}' | Potential injection from the ${{ github.event.discussion.title }}, which may be controlled by an external user. |
|
||||
| .github/workflows/discussion_comment.yml:8:12:8:53 | echo '$ ... ody }}' | Potential injection from the ${{ github.event.discussion.body }}, which may be controlled by an external user. |
|
||||
| .github/workflows/discussion_comment.yml:9:12:9:50 | echo '$ ... ody }}' | Potential injection from the ${{ github.event.comment.body }}, which may be controlled by an external user. |
|
||||
| .github/workflows/gollum.yml:7:12:7:52 | echo '$ ... tle }}' | Potential injection from the ${{ github.event.pages[1].title }}, which may be controlled by an external user. |
|
||||
| .github/workflows/gollum.yml:8:12:8:53 | echo '$ ... tle }}' | Potential injection from the ${{ github.event.pages[11].title }}, which may be controlled by an external user. |
|
||||
| .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | Potential injection from the ${{ github.event.pages[0].page_name }}, which may be controlled by an external user. |
|
||||
| .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | Potential injection from the ${{ github.event.pages[2222].page_name }}, which may be controlled by an external user. |
|
||||
| .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | Potential injection from the ${{ github.event.issue.title }}, which may be controlled by an external user. |
|
||||
| .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | Potential injection from the ${{ github.event.issue.body }}, which may be controlled by an external user. |
|
||||
| .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | Potential injection from the ${{ env.global_env }}, which may be controlled by an external user. |
|
||||
| .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | Potential injection from the ${{ env.job_env }}, which may be controlled by an external user. |
|
||||
| .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | Potential injection from the ${{ env.step_env }}, which may be controlled by an external user. |
|
||||
| .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | Potential injection from the ${{ github.event.pull_request.title }}, which may be controlled by an external user. |
|
||||
| .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | Potential injection from the ${{ github.event.pull_request.body }}, which may be controlled by an external user. |
|
||||
| .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | Potential injection from the ${{ github.event.pull_request.head.label }}, which may be controlled by an external user. |
|
||||
| .github/workflows/pull_request_review.yml:10:12:10:75 | echo '$ ... nch }}' | Potential injection from the ${{ github.event.pull_request.head.repo.default_branch }}, which may be controlled by an external user. |
|
||||
| .github/workflows/pull_request_review.yml:11:12:11:72 | echo '$ ... ion }}' | Potential injection from the ${{ github.event.pull_request.head.repo.description }}, which may be controlled by an external user. |
|
||||
| .github/workflows/pull_request_review.yml:12:12:12:69 | echo '$ ... age }}' | Potential injection from the ${{ github.event.pull_request.head.repo.homepage }}, which may be controlled by an external user. |
|
||||
| .github/workflows/pull_request_review.yml:13:12:13:59 | echo '$ ... ref }}' | Potential injection from the ${{ github.event.pull_request.head.ref }}, which may be controlled by an external user. |
|
||||
| .github/workflows/pull_request_review.yml:14:12:14:49 | echo '$ ... ody }}' | Potential injection from the ${{ github.event.review.body }}, which may be controlled by an external user. |
|
||||
| .github/workflows/pull_request_review_comment.yml:7:12:7:56 | echo '$ ... tle }}' | Potential injection from the ${{ github.event.pull_request.title }}, which may be controlled by an external user. |
|
||||
| .github/workflows/pull_request_review_comment.yml:8:12:8:55 | echo '$ ... ody }}' | Potential injection from the ${{ github.event.pull_request.body }}, which may be controlled by an external user. |
|
||||
| .github/workflows/pull_request_review_comment.yml:9:12:9:61 | echo '$ ... bel }}' | Potential injection from the ${{ github.event.pull_request.head.label }}, which may be controlled by an external user. |
|
||||
| .github/workflows/pull_request_review_comment.yml:10:12:10:75 | echo '$ ... nch }}' | Potential injection from the ${{ github.event.pull_request.head.repo.default_branch }}, which may be controlled by an external user. |
|
||||
| .github/workflows/pull_request_review_comment.yml:11:12:11:72 | echo '$ ... ion }}' | Potential injection from the ${{ github.event.pull_request.head.repo.description }}, which may be controlled by an external user. |
|
||||
| .github/workflows/pull_request_review_comment.yml:12:12:12:69 | echo '$ ... age }}' | Potential injection from the ${{ github.event.pull_request.head.repo.homepage }}, which may be controlled by an external user. |
|
||||
| .github/workflows/pull_request_review_comment.yml:13:12:13:59 | echo '$ ... ref }}' | Potential injection from the ${{ github.event.pull_request.head.ref }}, which may be controlled by an external user. |
|
||||
| .github/workflows/pull_request_review_comment.yml:14:12:14:50 | echo '$ ... ody }}' | Potential injection from the ${{ github.event.comment.body }}, which may be controlled by an external user. |
|
||||
| .github/workflows/pull_request_target.yml:9:12:9:56 | echo '$ ... tle }}' | Potential injection from the ${{ github.event.pull_request.title }}, which may be controlled by an external user. |
|
||||
| .github/workflows/pull_request_target.yml:10:12:10:55 | echo '$ ... ody }}' | Potential injection from the ${{ github.event.pull_request.body }}, which may be controlled by an external user. |
|
||||
| .github/workflows/pull_request_target.yml:11:12:11:61 | echo '$ ... bel }}' | Potential injection from the ${{ github.event.pull_request.head.label }}, which may be controlled by an external user. |
|
||||
| .github/workflows/pull_request_target.yml:12:12:12:75 | echo '$ ... nch }}' | Potential injection from the ${{ github.event.pull_request.head.repo.default_branch }}, which may be controlled by an external user. |
|
||||
| .github/workflows/pull_request_target.yml:13:12:13:72 | echo '$ ... ion }}' | Potential injection from the ${{ github.event.pull_request.head.repo.description }}, which may be controlled by an external user. |
|
||||
| .github/workflows/pull_request_target.yml:14:12:14:69 | echo '$ ... age }}' | Potential injection from the ${{ github.event.pull_request.head.repo.homepage }}, which may be controlled by an external user. |
|
||||
| .github/workflows/pull_request_target.yml:15:12:15:59 | echo '$ ... ref }}' | Potential injection from the ${{ github.event.pull_request.head.ref }}, which may be controlled by an external user. |
|
||||
| .github/workflows/pull_request_target.yml:16:12:16:40 | echo '$ ... ref }}' | Potential injection from the ${{ github.head_ref }}, which may be controlled by an external user. |
|
||||
| .github/workflows/push.yml:7:12:7:57 | echo '$ ... age }}' | Potential injection from the ${{ github.event.commits[11].message }}, which may be controlled by an external user. |
|
||||
| .github/workflows/push.yml:8:12:8:62 | echo '$ ... ail }}' | Potential injection from the ${{ github.event.commits[11].author.email }}, which may be controlled by an external user. |
|
||||
| .github/workflows/push.yml:9:12:9:61 | echo '$ ... ame }}' | Potential injection from the ${{ github.event.commits[11].author.name }}, which may be controlled by an external user. |
|
||||
| .github/workflows/push.yml:10:12:10:57 | echo '$ ... age }}' | Potential injection from the ${{ github.event.head_commit.message }}, which may be controlled by an external user. |
|
||||
| .github/workflows/push.yml:11:12:11:62 | echo '$ ... ail }}' | Potential injection from the ${{ github.event.head_commit.author.email }}, which may be controlled by an external user. |
|
||||
| .github/workflows/push.yml:12:12:12:61 | echo '$ ... ame }}' | Potential injection from the ${{ github.event.head_commit.author.name }}, which may be controlled by an external user. |
|
||||
| .github/workflows/push.yml:13:12:13:65 | echo '$ ... ail }}' | Potential injection from the ${{ github.event.head_commit.committer.email }}, which may be controlled by an external user. |
|
||||
| .github/workflows/push.yml:14:12:14:64 | echo '$ ... ame }}' | Potential injection from the ${{ github.event.head_commit.committer.name }}, which may be controlled by an external user. |
|
||||
| .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | Potential injection from the ${{ github.event.commits[11].committer.email }}, which may be controlled by an external user. |
|
||||
| .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | Potential injection from the ${{ github.event.commits[11].committer.name }}, which may be controlled by an external user. |
|
||||
| .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | Potential injection from the ${{ github.event.workflow_run.display_title }}, which may be controlled by an external user. |
|
||||
| .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | Potential injection from the ${{ github.event.workflow_run.head_commit.message }}, which may be controlled by an external user. |
|
||||
| .github/workflows/workflow_run.yml:11:12:11:75 | echo '$ ... ail }}' | Potential injection from the ${{ github.event.workflow_run.head_commit.author.email }}, which may be controlled by an external user. |
|
||||
| .github/workflows/workflow_run.yml:12:12:12:74 | echo '$ ... ame }}' | Potential injection from the ${{ github.event.workflow_run.head_commit.author.name }}, which may be controlled by an external user. |
|
||||
| .github/workflows/workflow_run.yml:13:12:13:78 | echo '$ ... ail }}' | Potential injection from the ${{ github.event.workflow_run.head_commit.committer.email }}, which may be controlled by an external user. |
|
||||
| .github/workflows/workflow_run.yml:14:12:14:77 | echo '$ ... ame }}' | Potential injection from the ${{ github.event.workflow_run.head_commit.committer.name }}, which may be controlled by an external user. |
|
||||
| .github/workflows/workflow_run.yml:15:12:15:62 | echo '$ ... nch }}' | Potential injection from the ${{ github.event.workflow_run.head_branch }}, which may be controlled by an external user. |
|
||||
| .github/workflows/workflow_run.yml:16:12:16:78 | echo '$ ... ion }}' | Potential injection from the ${{ github.event.workflow_run.head_repository.description }}, which may be controlled by an external user. |
|
||||
| action1/action.yml:14:12:14:50 | echo '$ ... ody }}' | Potential injection from the ${{ github.event.comment.body }}, which may be controlled by an external user. |
|
||||
@@ -1 +0,0 @@
|
||||
query: Security/CWE-094/ExpressionInjection.ql
|
||||
@@ -1,14 +0,0 @@
|
||||
name: 'test'
|
||||
description: 'test'
|
||||
branding:
|
||||
icon: 'test'
|
||||
color: 'test'
|
||||
inputs:
|
||||
test:
|
||||
description: test
|
||||
required: false
|
||||
default: 'test'
|
||||
runs:
|
||||
using: "composite"
|
||||
steps:
|
||||
- run: echo '${{ github.event.comment.body }}'
|
||||
@@ -1,17 +0,0 @@
|
||||
name: 'Hello World'
|
||||
description: 'Greet someone and record the time'
|
||||
inputs:
|
||||
who-to-greet: # id of input
|
||||
description: 'Who to greet'
|
||||
required: true
|
||||
default: 'World'
|
||||
outputs:
|
||||
time: # id of output
|
||||
description: 'The time we greeted you'
|
||||
runs:
|
||||
using: 'docker'
|
||||
steps: # this is actually invalid, used to test we correctly identify composite actions
|
||||
- run: echo '${{ github.event.comment.body }}'
|
||||
image: 'Dockerfile'
|
||||
args:
|
||||
- ${{ inputs.who-to-greet }}
|
||||
Reference in New Issue
Block a user