Add more sources, more unit tests, fixes to the GitHub Actions injection query

2026-04-26 09:15:12 +02:00 · 2023-04-03 15:02:02 +02:00
parent 69619f1fbc
commit 99d634c8a4
13 changed files with 220 additions and 19 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/comment_issue.yml
+++ b/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/comment_issue.yml
@@ -10,5 +10,6 @@ jobs:
  echo-chamber2:
    runs-on: ubuntu-latest
    steps:
-    - run: |
-        echo '${{ github.event.comment.body }}'
+    - run: echo '${{ github.event.comment.body }}'
+    - run: echo '${{ github.event.issue.body }}'
+    - run: echo '${{ github.event.issue.title }}'
--- a/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/discussion.yml
+++ b/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/discussion.yml
@@ -0,0 +1,8 @@
+on: discussion
+
+jobs:
+  echo-chamber:
+    runs-on: ubuntu-latest
+    steps:
+    - run: echo '${{ github.event.discussion.title }}'
+    - run: echo '${{ github.event.discussion.body }}'
--- a/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/discussion_comment.yml
+++ b/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/discussion_comment.yml
@@ -0,0 +1,9 @@
+on: discussion_comment
+
+jobs:
+  echo-chamber:
+    runs-on: ubuntu-latest
+    steps:
+    - run: echo '${{ github.event.discussion.title }}'
+    - run: echo '${{ github.event.discussion.body }}'
+    - run: echo '${{ github.event.comment.body }}'
--- a/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/gollum.yml
+++ b/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/gollum.yml
@@ -0,0 +1,11 @@
+on: gollum
+
+jobs:
+  echo-chamber:
+    runs-on: ubuntu-latest
+    steps:
+    - run: echo '${{ github.event.pages[1].title }}'
+    - run: echo '${{ github.event.pages[11].title }}'
+    - run: echo '${{ github.event.pages[0].page_name }}'
+    - run: echo '${{ github.event.pages[2222].page_name }}'
+    - run: echo '${{ toJSON(github.event.pages.*.title) }}' # safe
--- a/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/issues.yml
+++ b/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/issues.yml
@@ -0,0 +1,8 @@
+on: issues
+
+jobs:
+  echo-chamber:
+    runs-on: ubuntu-latest
+    steps:
+    - run: echo '${{ github.event.issue.title }}'
+    - run: echo '${{ github.event.issue.body }}'
--- a/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/pull_request_review.yml
+++ b/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/pull_request_review.yml
@@ -0,0 +1,14 @@
+on: pull_request_review
+
+jobs:
+  echo-chamber:
+    runs-on: ubuntu-latest
+    steps:
+    - run: echo '${{ github.event.pull_request.title }}'
+    - run: echo '${{ github.event.pull_request.body }}'
+    - run: echo '${{ github.event.pull_request.head.label }}'
+    - run: echo '${{ github.event.pull_request.head.repo.default_branch }}'
+    - run: echo '${{ github.event.pull_request.head.repo.description }}'
+    - run: echo '${{ github.event.pull_request.head.repo.homepage }}'
+    - run: echo '${{ github.event.pull_request.head.ref }}'
+    - run: echo '${{ github.event.review.body }}'
--- a/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/pull_request_review_comment.yml
+++ b/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/pull_request_review_comment.yml
@@ -0,0 +1,14 @@
+on: pull_request_review_comment
+
+jobs:
+  echo-chamber:
+    runs-on: ubuntu-latest
+    steps:
+    - run: echo '${{ github.event.pull_request.title }}'
+    - run: echo '${{ github.event.pull_request.body }}'
+    - run: echo '${{ github.event.pull_request.head.label }}'
+    - run: echo '${{ github.event.pull_request.head.repo.default_branch }}'
+    - run: echo '${{ github.event.pull_request.head.repo.description }}'
+    - run: echo '${{ github.event.pull_request.head.repo.homepage }}'
+    - run: echo '${{ github.event.pull_request.head.ref }}'
+    - run: echo '${{ github.event.comment.body }}'
--- a/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/pull_request_target.yml
+++ b/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/pull_request_target.yml
@@ -0,0 +1,16 @@
+on: pull_request_target
+
+jobs:
+  echo-chamber:
+    runs-on: ubuntu-latest
+    steps:
+    - run: echo '${{ github.event.issue.title }}' # not defined
+    - run: echo '${{ github.event.issue.body }}' # not defined
+    - run: echo '${{ github.event.pull_request.title }}'
+    - run: echo '${{ github.event.pull_request.body }}'
+    - run: echo '${{ github.event.pull_request.head.label }}'
+    - run: echo '${{ github.event.pull_request.head.repo.default_branch }}'
+    - run: echo '${{ github.event.pull_request.head.repo.description }}'
+    - run: echo '${{ github.event.pull_request.head.repo.homepage }}'
+    - run: echo '${{ github.event.pull_request.head.ref }}'
+    - run: echo '${{ github.head_ref }}'
--- a/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/push.yml
+++ b/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/push.yml
@@ -0,0 +1,16 @@
+on: push
+
+jobs:
+  echo-chamber:
+    runs-on: ubuntu-latest
+    steps:
+    - run: echo '${{ github.event.commits[11].message }}'
+    - run: echo '${{ github.event.commits[11].author.email }}'
+    - run: echo '${{ github.event.commits[11].author.name }}'
+    - run: echo '${{ github.event.head_commit.message }}'
+    - run: echo '${{ github.event.head_commit.author.email }}'
+    - run: echo '${{ github.event.head_commit.author.name }}'
+    - run: echo '${{ github.event.head_commit.committer.email }}'
+    - run: echo '${{ github.event.head_commit.committer.name }}'
+    - run: echo '${{ github.event.commits[11].committer.email }}'
+    - run: echo '${{ github.event.commits[11].committer.name }}'
--- a/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/workflow_run.yml
+++ b/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/workflow_run.yml
@@ -0,0 +1,16 @@
+on:
+  workflow_run:
+    workflows: [test]
+
+jobs:
+  echo-chamber:
+    runs-on: ubuntu-latest
+    steps:
+    - run: echo '${{ github.event.workflow_run.display_title }}'
+    - run: echo '${{ github.event.workflow_run.head_commit.message }}'
+    - run: echo '${{ github.event.workflow_run.head_commit.author.email }}'
+    - run: echo '${{ github.event.workflow_run.head_commit.author.name }}'
+    - run: echo '${{ github.event.workflow_run.head_commit.committer.email }}'
+    - run: echo '${{ github.event.workflow_run.head_commit.committer.name }}'
+    - run: echo '${{ github.event.workflow_run.head_branch }}'
+    - run: echo '${{ github.event.workflow_run.head_repository.description }}'
--- a/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/ExpressionInjection.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/ExpressionInjection.expected
@@ -1,3 +1,58 @@
 | .github/workflows/comment_issue.yml:7:12:8:48 | \| | Potential injection from the github.event.comment.body context, which may be controlled by an external user. |
-| .github/workflows/comment_issue.yml:13:12:14:47 | \| | Potential injection from the github.event.comment.body context, which may be controlled by an external user. |
+| .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | Potential injection from the github.event.comment.body context, which may be controlled by an external user. |
+| .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | Potential injection from the github.event.issue.body context, which may be controlled by an external user. |
+| .github/workflows/comment_issue.yml:15:12:15:49 | echo '$ ... tle }}' | Potential injection from the github.event.issue.title context, which may be controlled by an external user. |
 | .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | Potential injection from the github.event.comment.body context, which may be controlled by an external user. |
+| .github/workflows/discussion.yml:7:12:7:54 | echo '$ ... tle }}' | Potential injection from the github.event.discussion.title context, which may be controlled by an external user. |
+| .github/workflows/discussion.yml:8:12:8:53 | echo '$ ... ody }}' | Potential injection from the github.event.discussion.body context, which may be controlled by an external user. |
+| .github/workflows/discussion_comment.yml:7:12:7:54 | echo '$ ... tle }}' | Potential injection from the github.event.discussion.title context, which may be controlled by an external user. |
+| .github/workflows/discussion_comment.yml:8:12:8:53 | echo '$ ... ody }}' | Potential injection from the github.event.discussion.body context, which may be controlled by an external user. |
+| .github/workflows/discussion_comment.yml:9:12:9:50 | echo '$ ... ody }}' | Potential injection from the github.event.comment.body context, which may be controlled by an external user. |
+| .github/workflows/gollum.yml:7:12:7:52 | echo '$ ... tle }}' | Potential injection from the github.event.pages[1].title context, which may be controlled by an external user. |
+| .github/workflows/gollum.yml:8:12:8:53 | echo '$ ... tle }}' | Potential injection from the github.event.pages[11].title context, which may be controlled by an external user. |
+| .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | Potential injection from the github.event.pages[0].page_name context, which may be controlled by an external user. |
+| .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | Potential injection from the github.event.pages[2222].page_name context, which may be controlled by an external user. |
+| .github/workflows/issues.yml:7:12:7:49 | echo '$ ... tle }}' | Potential injection from the github.event.issue.title context, which may be controlled by an external user. |
+| .github/workflows/issues.yml:8:12:8:48 | echo '$ ... ody }}' | Potential injection from the github.event.issue.body context, which may be controlled by an external user. |
+| .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | Potential injection from the github.event.pull_request.title context, which may be controlled by an external user. |
+| .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | Potential injection from the github.event.pull_request.body context, which may be controlled by an external user. |
+| .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | Potential injection from the github.event.pull_request.head.label context, which may be controlled by an external user. |
+| .github/workflows/pull_request_review.yml:10:12:10:75 | echo '$ ... nch }}' | Potential injection from the github.event.pull_request.head.repo.default_branch context, which may be controlled by an external user. |
+| .github/workflows/pull_request_review.yml:11:12:11:72 | echo '$ ... ion }}' | Potential injection from the github.event.pull_request.head.repo.description context, which may be controlled by an external user. |
+| .github/workflows/pull_request_review.yml:12:12:12:69 | echo '$ ... age }}' | Potential injection from the github.event.pull_request.head.repo.homepage context, which may be controlled by an external user. |
+| .github/workflows/pull_request_review.yml:13:12:13:59 | echo '$ ... ref }}' | Potential injection from the github.event.pull_request.head.ref context, which may be controlled by an external user. |
+| .github/workflows/pull_request_review.yml:14:12:14:49 | echo '$ ... ody }}' | Potential injection from the github.event.review.body context, which may be controlled by an external user. |
+| .github/workflows/pull_request_review_comment.yml:7:12:7:56 | echo '$ ... tle }}' | Potential injection from the github.event.pull_request.title context, which may be controlled by an external user. |
+| .github/workflows/pull_request_review_comment.yml:8:12:8:55 | echo '$ ... ody }}' | Potential injection from the github.event.pull_request.body context, which may be controlled by an external user. |
+| .github/workflows/pull_request_review_comment.yml:9:12:9:61 | echo '$ ... bel }}' | Potential injection from the github.event.pull_request.head.label context, which may be controlled by an external user. |
+| .github/workflows/pull_request_review_comment.yml:10:12:10:75 | echo '$ ... nch }}' | Potential injection from the github.event.pull_request.head.repo.default_branch context, which may be controlled by an external user. |
+| .github/workflows/pull_request_review_comment.yml:11:12:11:72 | echo '$ ... ion }}' | Potential injection from the github.event.pull_request.head.repo.description context, which may be controlled by an external user. |
+| .github/workflows/pull_request_review_comment.yml:12:12:12:69 | echo '$ ... age }}' | Potential injection from the github.event.pull_request.head.repo.homepage context, which may be controlled by an external user. |
+| .github/workflows/pull_request_review_comment.yml:13:12:13:59 | echo '$ ... ref }}' | Potential injection from the github.event.pull_request.head.ref context, which may be controlled by an external user. |
+| .github/workflows/pull_request_review_comment.yml:14:12:14:50 | echo '$ ... ody }}' | Potential injection from the github.event.comment.body context, which may be controlled by an external user. |
+| .github/workflows/pull_request_target.yml:9:12:9:56 | echo '$ ... tle }}' | Potential injection from the github.event.pull_request.title context, which may be controlled by an external user. |
+| .github/workflows/pull_request_target.yml:10:12:10:55 | echo '$ ... ody }}' | Potential injection from the github.event.pull_request.body context, which may be controlled by an external user. |
+| .github/workflows/pull_request_target.yml:11:12:11:61 | echo '$ ... bel }}' | Potential injection from the github.event.pull_request.head.label context, which may be controlled by an external user. |
+| .github/workflows/pull_request_target.yml:12:12:12:75 | echo '$ ... nch }}' | Potential injection from the github.event.pull_request.head.repo.default_branch context, which may be controlled by an external user. |
+| .github/workflows/pull_request_target.yml:13:12:13:72 | echo '$ ... ion }}' | Potential injection from the github.event.pull_request.head.repo.description context, which may be controlled by an external user. |
+| .github/workflows/pull_request_target.yml:14:12:14:69 | echo '$ ... age }}' | Potential injection from the github.event.pull_request.head.repo.homepage context, which may be controlled by an external user. |
+| .github/workflows/pull_request_target.yml:15:12:15:59 | echo '$ ... ref }}' | Potential injection from the github.event.pull_request.head.ref context, which may be controlled by an external user. |
+| .github/workflows/pull_request_target.yml:16:12:16:40 | echo '$ ... ref }}' | Potential injection from the github.head_ref context, which may be controlled by an external user. |
+| .github/workflows/push.yml:7:12:7:57 | echo '$ ... age }}' | Potential injection from the github.event.commits[11].message context, which may be controlled by an external user. |
+| .github/workflows/push.yml:8:12:8:62 | echo '$ ... ail }}' | Potential injection from the github.event.commits[11].author.email context, which may be controlled by an external user. |
+| .github/workflows/push.yml:9:12:9:61 | echo '$ ... ame }}' | Potential injection from the github.event.commits[11].author.name context, which may be controlled by an external user. |
+| .github/workflows/push.yml:10:12:10:57 | echo '$ ... age }}' | Potential injection from the github.event.head_commit.message context, which may be controlled by an external user. |
+| .github/workflows/push.yml:11:12:11:62 | echo '$ ... ail }}' | Potential injection from the github.event.head_commit.author.email context, which may be controlled by an external user. |
+| .github/workflows/push.yml:12:12:12:61 | echo '$ ... ame }}' | Potential injection from the github.event.head_commit.author.name context, which may be controlled by an external user. |
+| .github/workflows/push.yml:13:12:13:65 | echo '$ ... ail }}' | Potential injection from the github.event.head_commit.committer.email context, which may be controlled by an external user. |
+| .github/workflows/push.yml:14:12:14:64 | echo '$ ... ame }}' | Potential injection from the github.event.head_commit.committer.name context, which may be controlled by an external user. |
+| .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | Potential injection from the github.event.commits[11].committer.email context, which may be controlled by an external user. |
+| .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | Potential injection from the github.event.commits[11].committer.name context, which may be controlled by an external user. |
+| .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | Potential injection from the github.event.workflow_run.display_title context, which may be controlled by an external user. |
+| .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | Potential injection from the github.event.workflow_run.head_commit.message context, which may be controlled by an external user. |
+| .github/workflows/workflow_run.yml:11:12:11:75 | echo '$ ... ail }}' | Potential injection from the github.event.workflow_run.head_commit.author.email context, which may be controlled by an external user. |
+| .github/workflows/workflow_run.yml:12:12:12:74 | echo '$ ... ame }}' | Potential injection from the github.event.workflow_run.head_commit.author.name context, which may be controlled by an external user. |
+| .github/workflows/workflow_run.yml:13:12:13:78 | echo '$ ... ail }}' | Potential injection from the github.event.workflow_run.head_commit.committer.email context, which may be controlled by an external user. |
+| .github/workflows/workflow_run.yml:14:12:14:77 | echo '$ ... ame }}' | Potential injection from the github.event.workflow_run.head_commit.committer.name context, which may be controlled by an external user. |
+| .github/workflows/workflow_run.yml:15:12:15:62 | echo '$ ... nch }}' | Potential injection from the github.event.workflow_run.head_branch context, which may be controlled by an external user. |
+| .github/workflows/workflow_run.yml:16:12:16:78 | echo '$ ... ion }}' | Potential injection from the github.event.workflow_run.head_repository.description context, which may be controlled by an external user. |