From a84c1c4706b4fcce446e96aa7ddd6befdc6d9265 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= <pwntester@github.com>
Date: Thu, 13 Jun 2024 11:51:15 +0200
Subject: [PATCH] Minor improvemnts

---
 .../actions/security/ArtifactPoisoningQuery.qll     | 13 +++++++------
 ql/lib/codeql/actions/security/PoisonableSteps.qll  |  5 +++--
 2 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll
index 45d9a08d00a..060471bb5dc 100644
--- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll
+++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll
@@ -20,12 +20,13 @@ class DownloadArtifactActionStep extends UntrustedArtifactDownloadStep, UsesStep
   DownloadArtifactActionStep() {
     this.getCallee() =
       [
-        "dawidd6/action-download-artifact", "marcofaggian/action-download-multiple-artifacts",
-        "benday-inc/download-latest-artifact", "blablacar/action-download-last-artifact",
-        "levonet/action-download-last-artifact", "bettermarks/action-artifact-download",
-        "aochmann/actions-download-artifact", "cytopia/download-artifact-retry-action",
-        "alextompkins/download-prior-artifact", "nmerget/download-gzip-artifact",
-        "benday-inc/download-artifact", "synergy-au/download-workflow-artifacts-action",
+        "actions/download-artifact", "dawidd6/action-download-artifact",
+        "marcofaggian/action-download-multiple-artifacts", "benday-inc/download-latest-artifact",
+        "blablacar/action-download-last-artifact", "levonet/action-download-last-artifact",
+        "bettermarks/action-artifact-download", "aochmann/actions-download-artifact",
+        "cytopia/download-artifact-retry-action", "alextompkins/download-prior-artifact",
+        "nmerget/download-gzip-artifact", "benday-inc/download-artifact",
+        "synergy-au/download-workflow-artifacts-action", "ishworkh/docker-image-artifact-download",
         "ishworkh/container-image-artifact-download", "sidx1024/action-download-artifact",
         "hyperskill/azblob-download-artifact", "ma-ve/action-download-artifact-with-retry"
       ] and
diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll
index 3349b5b1121..f80f09a32d8 100644
--- a/ql/lib/codeql/actions/security/PoisonableSteps.qll
+++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll
@@ -19,10 +19,11 @@ class DangerousActionUsesStep extends PoisonableStep, UsesStep {
 private string dangerousCommands() {
   result =
     [
-      "npm install", "npm run ", "yarn ", "npm ci(\\b|$)", "make ", "terraform plan",
+      "npm i(nstall)?(\\b|$)", "npm run ", "yarn ", "npm ci(\\b|$)", "make ", "terraform plan",
       "terraform apply", "gomplate ", "pre-commit run", "pre-commit install", "go generate",
       "msbuild ", "mvn ", "gradle ", "bundle install", "bundle exec ", "^ant ", "mkdocs build",
-      "pytest", "pip install -r ", "pip install --requirement", "java -jar "
+      "pytest", "pip install -r ", "pip install --requirement", "java -jar ", "poetry install",
+      "poetry run"
     ]
 }