From 7f77e89bbfa492e800e973152c0fbe2b4ece9240 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 12 Jul 2024 23:31:12 +0200 Subject: [PATCH] feat(tests): Add test for checkout in composite action --- .../actions/dangerous-git-checkout/action.yml | 13 +++++++++++++ .../.github/workflows/untrusted_checkout3.yml | 13 +++++++++++++ .../CWE-829/UntrustedCheckoutCritical.expected | 8 ++++++++ 3 files changed, 34 insertions(+) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/actions/dangerous-git-checkout/action.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout3.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/actions/dangerous-git-checkout/action.yml b/ql/test/query-tests/Security/CWE-829/.github/actions/dangerous-git-checkout/action.yml new file mode 100644 index 00000000000..57058e7a076 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/actions/dangerous-git-checkout/action.yml @@ -0,0 +1,13 @@ +name: Dangerous git Checkout +description: "Git Checkout from PR code so we can run checks from forks" +runs: + using: "composite" + steps: + - name: Checkout repo + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + fetch-depth: 2 + - run: echo "foo" + shell: bash + diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout3.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout3.yml new file mode 100644 index 00000000000..e0d32875ee7 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout3.yml @@ -0,0 +1,13 @@ +name: Test +on: + workflow_call: + workflow_run: + workflows: [Trigger] + types: [completed] +jobs: + test: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: ./.github/actions/dangerous-git-checkout + - run: yarn test diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 4431d865417..ce6d75bf113 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -1,4 +1,7 @@ edges +| .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:11:7:12:18 | Run Step | +| .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | +| .github/actions/dangerous-git-checkout/action.yml:11:7:12:18 | Run Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | | .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step | | .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | | .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | @@ -332,6 +335,11 @@ edges | .github/workflows/unpinned_tags.yml:9:7:10:4 | Uses Step | .github/workflows/unpinned_tags.yml:11:7:11:61 | Uses Step | | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | .github/workflows/unpinned_tags.yml:11:7:11:61 | Uses Step | | .github/workflows/untrusted_checkout2.yml:7:9:14:6 | Run Step: pr_number | .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step | +| .github/workflows/untrusted_checkout3.yml:11:9:12:6 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | +| .github/workflows/untrusted_checkout3.yml:11:9:12:6 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:11:7:12:18 | Run Step | +| .github/workflows/untrusted_checkout3.yml:11:9:12:6 | Uses Step | .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step | +| .github/workflows/untrusted_checkout3.yml:11:9:12:6 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | +| .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:16:9:20:6 | Uses Step | | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step |