hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add tests and update expected results

Browse Source
This commit is contained in:
Alvaro Muñoz
2024-12-09 21:47:28 +01:00
parent b80d3d56a3
commit bee0668cd0
6 changed files with 561 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

251
ql/test/query-tests/Security/CWE-094/.github/actions/action6/action.yml vendored Normal file
View File

@@ -0,0 +1,251 @@
# Ultralytics Actions 🚀, AGPL-3.0 License https://ultralytics.com/license
name: "Ultralytics Actions"
author: "Ultralytics"
description: "Optimize code and docs with official Ultralytics Actions for syntax, spelling, and link checks."
branding:
icon: "code"
color: "blue"
inputs:
token:
description: "GitHub token"
required: true
labels:
description: "Run issue and PR auto-labeling"
required: false
default: "false"
python:
description: "Run Python formatting"
required: false
default: "false"
markdown:
description: "Run Markdown formatting (deprecated in favor of prettier)"
required: false
default: "false"
prettier:
description: "Run Prettier formatting for JavaScript, JSX, Angular, Vue, Flow, TypeScript, CSS, HTML, JSON, GraphQL, Markdown, YAML"
required: false
default: "false"
swift:
description: "Run Swift formatting"
required: false
default: "false"
spelling:
description: "Run Spelling checks"
required: false
default: "false"
links:
description: "Run Broken Links checks"
required: false
default: "false"
summary:
description: "Run PR Summary"
required: false
default: "false"
openai_api_key:
description: "OpenAI API Key"
required: false
openai_model:
description: "OpenAI Model"
required: false
default: "gpt-4o"
first_issue_response:
description: "Example response to a new issue"
required: false
first_pr_response:
description: "Example response to a new PR"
required: false
github_username:
description: "GitHub username for commits"
required: false
default: "UltralyticsAssistant"
github_email:
description: "GitHub email for commits"
required: false
default: "web@ultralytics.com"
runs:
using: "composite"
steps:
- uses: astral-sh/setup-uv@v3
- name: Install Dependencies
# Note tomli required for codespell with pyproject.toml
# For debug:
# python -m pip install --upgrade pip wheel
# pip install -q git+https://github.com/ultralytics/actions@main codespell tomli
run: |
packages="ultralytics-actions"
if [ "${{ inputs.spelling }}" = "true" ]; then
packages="$packages codespell tomli"
fi
# On macOS, don't use sudo as it can cause environment issues
if [ "$(uname)" = "Darwin" ]; then
pip install -q $packages
else
sudo env "PATH=$PATH" uv pip install --system $packages
fi
ultralytics-actions-info
shell: bash
# Checkout Repository ----------------------------------------------------------------------------------------------
- name: Checkout Repository
if: github.event.action != 'closed'
uses: actions/checkout@v4
with:
repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }}
token: ${{ inputs.token }}
ref: ${{ github.head_ref || github.ref }}
fetch-depth: 0
# PR Summary -------------------------------------------------------------------------------------------------------
- name: PR Summary
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.summary == 'true' && github.event.action != 'synchronize'
env:
GITHUB_TOKEN: ${{ inputs.token }}
OPENAI_API_KEY: ${{ inputs.openai_api_key }}
OPENAI_MODEL: ${{ inputs.openai_model }}
run: |
ultralytics-actions-summarize-pr
shell: bash
continue-on-error: true
# Python formatting ------------------------------------------------------------------------------------------------
# Ignores the following Docs rules to match Google-style docstrings:
# D100: Missing docstring in public module
# D104: Missing docstring in public package
# D203: 1 blank line required before class docstring
# D205: 1 blank line required between summary line and description
# D212: Multi-line docstring summary should start at the first line
# D213: Multi-line docstring summary should start at the second line
# D401: First line of docstring should be in imperative mood
# D406: Section name should end with a newline
# D407: Missing dashed underline after section
# D413: Missing blank line after last section
# --target-version is Python 3.8 for --extend-select UP (pyupgrade)
- name: Run Python
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.python == 'true' && github.event.action != 'closed'
run: |
ruff format \
--line-length 120 \
. || true
ruff check \
--fix \
--unsafe-fixes \
--extend-select I,D,UP \
--target-version py38 \
--ignore D100,D104,D203,D205,D212,D213,D401,D406,D407,D413 \
. || true
docformatter \
--wrap-summaries 120 \
--wrap-descriptions 120 \
--pre-summary-newline \
--close-quotes-on-newline \
--in-place \
--recursive \
.
shell: bash
continue-on-error: true
# Prettier (JavaScript, JSX, Angular, Vue, Flow, TypeScript, CSS, HTML, JSON, GraphQL, Markdown, YAML) -------------
- name: Run Prettier
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && (inputs.prettier == 'true' || inputs.markdown == 'true') && github.event.action != 'closed'
run: |
ultralytics-actions-update-markdown-code-blocks
npm install --global prettier
npx prettier --write "**/*.{js,jsx,ts,tsx,css,less,scss,json,yml,yaml,html,vue,svelte}" '!**/*lock.{json,yaml,yml}' '!**/*.lock' '!**/model.json'
# Handle Markdown separately
find . -name "*.md" ! -path "*/docs/*" -exec npx prettier --write {} +
if [ -d "./docs" ]; then
find ./docs -name "*.md" ! -path "*/reference/*" -exec npx prettier --tab-width 4 --write {} +
fi
shell: bash
continue-on-error: true
# - name: Fix MkDocs reference section changes
# if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && (inputs.prettier == 'true' || inputs.markdown == 'true') && github.event.action != 'closed'
# run: |
# from pathlib import Path
# for file in Path("./docs").rglob('*.md'):
# content = file.read_text()
# updated_content = content.replace(".\_","._")
# file.write_text(updated_content)
# shell: python
# continue-on-error: true
# Swift formatting -------------------------------------------------------------------------------------------------
- name: Run Swift Formatter
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.swift == 'true' && github.event.action != 'closed'
run: |
brew install swift-format
swift-format --in-place --recursive .
shell: bash
continue-on-error: true
# Spelling ---------------------------------------------------------------------------------------------------------
- name: Run Codespell
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.spelling == 'true' && github.event.action != 'closed'
run: |
codespell \
--write-changes \
--ignore-words-list "crate,nd,ned,strack,dota,ane,segway,fo,gool,winn,commend,bloc,nam,afterall,skelton,goin" \
--skip "*.pt,*.pth,*.torchscript,*.onnx,*.tflite,*.pb,*.bin,*.param,*.mlmodel,*.engine,*.npy,*.data*,*.csv,*pnnx*,*venv*,*translat*,*lock*,__pycache__*,*.ico,*.jpg,*.png,*.mp4,*.mov,/runs,/.git,./docs/??/*.md,./docs/mkdocs_??.yml"
shell: bash
continue-on-error: true
# Autolabel Issues and PRs (run before commit changes in case commit fails) ----------------------------------------
- name: Autolabel Issues and PRs
if: inputs.labels == 'true' && (github.event.action == 'opened' || github.event.action == 'created')
env:
GITHUB_TOKEN: ${{ inputs.token }}
FIRST_ISSUE_RESPONSE: ${{ inputs.first_issue_response }}
FIRST_PR_RESPONSE: ${{ inputs.first_pr_response }}
OPENAI_API_KEY: ${{ inputs.openai_api_key }}
OPENAI_MODEL: ${{ inputs.openai_model }}
run: |
ultralytics-actions-first-interaction
shell: bash
continue-on-error: true
# Commit Changes ---------------------------------------------------------------------------------------------------
- name: Commit and Push Changes
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && github.event.action != 'closed'
run: |
git config --global user.name "${{ inputs.github_username }}"
git config --global user.email "${{ inputs.github_email }}"
git pull origin ${{ github.head_ref || github.ref }}
git add .
git reset HEAD -- .github/workflows/ # workflow changes are not permitted with default token
if ! git diff --staged --quiet; then
git commit -m "Auto-format by https://ultralytics.com/actions"
git push
else
echo "No changes to commit"
fi
shell: bash
continue-on-error: false
# Broken links -----------------------------------------------------------------------------------------------------
- name: Broken Link Checker
if: inputs.links == 'true' && github.event.action != 'closed'
uses: lycheeverse/lychee-action@v2.0.2
with:
# Check all markdown and html files in repo. Ignores the following status codes to reduce false positives:
# - 403(OpenVINO, "forbidden")
# - 429(Instagram, "too many requests")
# - 500(Zenodo, "cached")
# - 502(Zenodo, "bad gateway")
# - 999(LinkedIn, "unknown status code")
args: |
--scheme https
--timeout 60
--insecure
--accept 403,429,500,502,999
--exclude-all-private
--exclude "https?://(www\.)?(github\.com|linkedin\.com|twitter\.com|instagram\.com|kaggle\.com|fonts\.gstatic\.com|url\.com)"
"./**/*.md"
"./**/*.html"
token: ${{ inputs.token }}
output: ../lychee/results.md
fail: true
continue-on-error: false

252
ql/test/query-tests/Security/CWE-094/.github/actions/action7/action.yml vendored Normal file
View File

@@ -0,0 +1,252 @@
# Ultralytics Actions 🚀, AGPL-3.0 License https://ultralytics.com/license
name: "Ultralytics Actions"
author: "Ultralytics"
description: "Optimize code and docs with official Ultralytics Actions for syntax, spelling, and link checks."
branding:
icon: "code"
color: "blue"
inputs:
token:
description: "GitHub token"
required: true
labels:
description: "Run issue and PR auto-labeling"
required: false
default: "false"
python:
description: "Run Python formatting"
required: false
default: "false"
markdown:
description: "Run Markdown formatting (deprecated in favor of prettier)"
required: false
default: "false"
prettier:
description: "Run Prettier formatting for JavaScript, JSX, Angular, Vue, Flow, TypeScript, CSS, HTML, JSON, GraphQL, Markdown, YAML"
required: false
default: "false"
swift:
description: "Run Swift formatting"
required: false
default: "false"
spelling:
description: "Run Spelling checks"
required: false
default: "false"
links:
description: "Run Broken Links checks"
required: false
default: "false"
summary:
description: "Run PR Summary"
required: false
default: "false"
openai_api_key:
description: "OpenAI API Key"
required: false
openai_model:
description: "OpenAI Model"
required: false
default: "gpt-4o"
first_issue_response:
description: "Example response to a new issue"
required: false
first_pr_response:
description: "Example response to a new PR"
required: false
github_username:
description: "GitHub username for commits"
required: false
default: "UltralyticsAssistant"
github_email:
description: "GitHub email for commits"
required: false
default: "web@ultralytics.com"
runs:
using: "composite"
steps:
- uses: astral-sh/setup-uv@v3
- name: Install Dependencies
# Note tomli required for codespell with pyproject.toml
# For debug:
# python -m pip install --upgrade pip wheel
# pip install -q git+https://github.com/ultralytics/actions@main codespell tomli
run: |
packages="ultralytics-actions"
if [ "${{ inputs.spelling }}" = "true" ]; then
packages="$packages codespell tomli"
fi
# On macOS, don't use sudo as it can cause environment issues
if [ "$(uname)" = "Darwin" ]; then
pip install -q $packages
else
sudo env "PATH=$PATH" uv pip install --system $packages
fi
ultralytics-actions-info
shell: bash
# Checkout Repository ----------------------------------------------------------------------------------------------
- name: Checkout Repository
if: github.event.action != 'closed'
uses: actions/checkout@v4
with:
repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }}
token: ${{ inputs.token }}
ref: ${{ github.head_ref || github.ref }}
fetch-depth: 0
# PR Summary -------------------------------------------------------------------------------------------------------
- name: PR Summary
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.summary == 'true' && github.event.action != 'synchronize'
env:
GITHUB_TOKEN: ${{ inputs.token }}
OPENAI_API_KEY: ${{ inputs.openai_api_key }}
OPENAI_MODEL: ${{ inputs.openai_model }}
run: |
ultralytics-actions-summarize-pr
shell: bash
continue-on-error: true
# Python formatting ------------------------------------------------------------------------------------------------
# Ignores the following Docs rules to match Google-style docstrings:
# D100: Missing docstring in public module
# D104: Missing docstring in public package
# D203: 1 blank line required before class docstring
# D205: 1 blank line required between summary line and description
# D212: Multi-line docstring summary should start at the first line
# D213: Multi-line docstring summary should start at the second line
# D401: First line of docstring should be in imperative mood
# D406: Section name should end with a newline
# D407: Missing dashed underline after section
# D413: Missing blank line after last section
# --target-version is Python 3.8 for --extend-select UP (pyupgrade)
- name: Run Python
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.python == 'true' && github.event.action != 'closed'
run: |
ruff format \
--line-length 120 \
. || true
ruff check \
--fix \
--unsafe-fixes \
--extend-select I,D,UP \
--target-version py38 \
--ignore D100,D104,D203,D205,D212,D213,D401,D406,D407,D413 \
. || true
docformatter \
--wrap-summaries 120 \
--wrap-descriptions 120 \
--pre-summary-newline \
--close-quotes-on-newline \
--in-place \
--recursive \
.
shell: bash
continue-on-error: true
# Prettier (JavaScript, JSX, Angular, Vue, Flow, TypeScript, CSS, HTML, JSON, GraphQL, Markdown, YAML) -------------
- name: Run Prettier
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && (inputs.prettier == 'true' || inputs.markdown == 'true') && github.event.action != 'closed'
run: |
ultralytics-actions-update-markdown-code-blocks
npm install --global prettier
npx prettier --write "**/*.{js,jsx,ts,tsx,css,less,scss,json,yml,yaml,html,vue,svelte}" '!**/*lock.{json,yaml,yml}' '!**/*.lock' '!**/model.json'
# Handle Markdown separately
find . -name "*.md" ! -path "*/docs/*" -exec npx prettier --write {} +
if [ -d "./docs" ]; then
find ./docs -name "*.md" ! -path "*/reference/*" -exec npx prettier --tab-width 4 --write {} +
fi
shell: bash
continue-on-error: true
# - name: Fix MkDocs reference section changes
# if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && (inputs.prettier == 'true' || inputs.markdown == 'true') && github.event.action != 'closed'
# run: |
# from pathlib import Path
# for file in Path("./docs").rglob('*.md'):
# content = file.read_text()
# updated_content = content.replace(".\_","._")
# file.write_text(updated_content)
# shell: python
# continue-on-error: true
# Swift formatting -------------------------------------------------------------------------------------------------
- name: Run Swift Formatter
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.swift == 'true' && github.event.action != 'closed'
run: |
brew install swift-format
swift-format --in-place --recursive .
shell: bash
continue-on-error: true
# Spelling ---------------------------------------------------------------------------------------------------------
- name: Run Codespell
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.spelling == 'true' && github.event.action != 'closed'
run: |
codespell \
--write-changes \
--ignore-words-list "crate,nd,ned,strack,dota,ane,segway,fo,gool,winn,commend,bloc,nam,afterall,skelton,goin" \
--skip "*.pt,*.pth,*.torchscript,*.onnx,*.tflite,*.pb,*.bin,*.param,*.mlmodel,*.engine,*.npy,*.data*,*.csv,*pnnx*,*venv*,*translat*,*lock*,__pycache__*,*.ico,*.jpg,*.png,*.mp4,*.mov,/runs,/.git,./docs/??/*.md,./docs/mkdocs_??.yml"
shell: bash
continue-on-error: true
# Autolabel Issues and PRs (run before commit changes in case commit fails) ----------------------------------------
- name: Autolabel Issues and PRs
if: inputs.labels == 'true' && (github.event.action == 'opened' || github.event.action == 'created')
env:
GITHUB_TOKEN: ${{ inputs.token }}
FIRST_ISSUE_RESPONSE: ${{ inputs.first_issue_response }}
FIRST_PR_RESPONSE: ${{ inputs.first_pr_response }}
OPENAI_API_KEY: ${{ inputs.openai_api_key }}
OPENAI_MODEL: ${{ inputs.openai_model }}
run: |
ultralytics-actions-first-interaction
shell: bash
continue-on-error: true
# Commit Changes ---------------------------------------------------------------------------------------------------
- name: Commit and Push Changes
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && github.event.action != 'closed'
run: |
git config --global user.name "${{ inputs.github_username }}"
git config --global user.email "${{ inputs.github_email }}"
# this action is not called in the test
git pull origin ${{ github.head_ref || github.ref }}
git add .
git reset HEAD -- .github/workflows/ # workflow changes are not permitted with default token
if ! git diff --staged --quiet; then
git commit -m "Auto-format by https://ultralytics.com/actions"
git push
else
echo "No changes to commit"
fi
shell: bash
continue-on-error: false
# Broken links -----------------------------------------------------------------------------------------------------
- name: Broken Link Checker
if: inputs.links == 'true' && github.event.action != 'closed'
uses: lycheeverse/lychee-action@v2.0.2
with:
# Check all markdown and html files in repo. Ignores the following status codes to reduce false positives:
# - 403(OpenVINO, "forbidden")
# - 429(Instagram, "too many requests")
# - 500(Zenodo, "cached")
# - 502(Zenodo, "bad gateway")
# - 999(LinkedIn, "unknown status code")
args: |
--scheme https
--timeout 60
--insecure
--accept 403,429,500,502,999
--exclude-all-private
--exclude "https?://(www\.)?(github\.com|linkedin\.com|twitter\.com|instagram\.com|kaggle\.com|fonts\.gstatic\.com|url\.com)"
"./**/*.md"
"./**/*.html"
token: ${{ inputs.token }}
output: ../lychee/results.md
fail: true
continue-on-error: false

34
ql/test/query-tests/Security/CWE-094/.github/workflows/test28.yml vendored Normal file
View File

@@ -0,0 +1,34 @@
# Ultralytics 🚀 - AGPL-3.0 License https://ultralytics.com/license
# Ultralytics Actions https://github.com/ultralytics/actions
# This workflow automatically formats code and documentation in PRs to official Ultralytics standards
name: Ultralytics Actions
on:
issues:
types: [opened, edited]
discussion:
types: [created]
pull_request_target:
branches: [main]
types: [opened, closed, synchronize, review_requested]
permissions:
contents: write
jobs:
format:
runs-on: ubuntu-latest
steps:
- name: Run Ultralytics Formatting
uses: ./.github/actions/action6
with:
token: ${{ secrets._GITHUB_TOKEN }} # note GITHUB_TOKEN automatically generated
labels: true # autolabel issues and PRs
python: true # format Python code and docstrings
prettier: true # format YAML, JSON, Markdown and CSS
spelling: true # check spelling
links: false # check broken links
summary: true # print PR summary with GPT4o (requires 'openai_api_key')
openai_api_key: ${{ secrets.OPENAI_API_KEY }}
first_issue_response: "foo"

9
ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected
View File

@@ -230,6 +230,8 @@ edges
| .github/workflows/untrusted_checkout1.yml:12:14:13:63 | echo "::set-output name=pr_number::$(<artifact.txt)"\n | .github/workflows/untrusted_checkout1.yml:11:9:14:6 | Run Step: artifact [pr_number] | provenance | |
nodes
| .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body |
| .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body |
| .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body |
| .github/actions/action5/action.yml:4:3:4:7 | input taint | semmle.label | input taint |
| .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result2] | semmle.label | output Job outputs node [result2] |
| .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result] | semmle.label | output Job outputs node [result] |
@@ -241,6 +243,11 @@ nodes
| .github/actions/action5/action.yml:26:7:31:4 | Run Step: step2 [result2] | semmle.label | Run Step: step2 [result2] |
| .github/actions/action5/action.yml:28:16:28:45 | github.event.issue.body | semmle.label | github.event.issue.body |
| .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | semmle.label | inputs.taint |
| .github/actions/action6/action.yml:216:25:216:60 | github.head_ref \|\| github.ref | semmle.label | github.head_ref \|\| github.ref |
| .github/actions/action7/action.yml:77:15:77:36 | inputs.spelling | semmle.label | inputs.spelling |
| .github/actions/action7/action.yml:214:41:214:69 | inputs.github_username | semmle.label | inputs.github_username |
| .github/actions/action7/action.yml:215:41:215:66 | inputs.github_email | semmle.label | inputs.github_email |
| .github/actions/action7/action.yml:217:25:217:60 | github.head_ref \|\| github.ref | semmle.label | github.head_ref \|\| github.ref |
| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | semmle.label | input title |
| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | semmle.label | output Job outputs node [result] |
| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | semmle.label | steps.out.outputs.replaced |
@@ -364,6 +371,7 @@ nodes
| .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] |
| .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files |
| .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output |
| .github/workflows/inter-job5.yml:45:20:45:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output |
| .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | semmle.label | github.event.issue.title |
| .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | semmle.label | github.event.issue.title |
| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | semmle.label | github.event.issue.title |
@@ -652,6 +660,7 @@ subpaths
| .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/composite-action-caller-1.yml:3:3:3:21 | pull_request_target | pull_request_target |
| .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | issue_comment |
| .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | ${{ inputs.taint }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | issue_comment |
| .github/actions/action6/action.yml:216:25:216:60 | github.head_ref \|\| github.ref | .github/actions/action6/action.yml:216:25:216:60 | github.head_ref \|\| github.ref | .github/actions/action6/action.yml:216:25:216:60 | github.head_ref \|\| github.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action6/action.yml:216:25:216:60 | github.head_ref \|\| github.ref | ${{ github.head_ref \|\| github.ref }} | .github/workflows/test28.yml:12:3:12:21 | pull_request_target | pull_request_target |
| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | ${{ inputs.title }} | .github/workflows/composite-action-caller-4.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/test22.yml:2:3:2:14 | workflow_run | workflow_run |
| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:84:75 | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<<EOF" >> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | ${{ steps.git-commit.outputs.file-list }} | .github/workflows/test22.yml:2:3:2:14 | workflow_run | workflow_run |

15
ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected
View File

@@ -230,6 +230,8 @@ edges
| .github/workflows/untrusted_checkout1.yml:12:14:13:63 | echo "::set-output name=pr_number::$(<artifact.txt)"\n | .github/workflows/untrusted_checkout1.yml:11:9:14:6 | Run Step: artifact [pr_number] | provenance | |
nodes
| .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body |
| .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body |
| .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body |
| .github/actions/action5/action.yml:4:3:4:7 | input taint | semmle.label | input taint |
| .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result2] | semmle.label | output Job outputs node [result2] |
| .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result] | semmle.label | output Job outputs node [result] |
@@ -241,6 +243,11 @@ nodes
| .github/actions/action5/action.yml:26:7:31:4 | Run Step: step2 [result2] | semmle.label | Run Step: step2 [result2] |
| .github/actions/action5/action.yml:28:16:28:45 | github.event.issue.body | semmle.label | github.event.issue.body |
| .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | semmle.label | inputs.taint |
| .github/actions/action6/action.yml:216:25:216:60 | github.head_ref \|\| github.ref | semmle.label | github.head_ref \|\| github.ref |
| .github/actions/action7/action.yml:77:15:77:36 | inputs.spelling | semmle.label | inputs.spelling |
| .github/actions/action7/action.yml:214:41:214:69 | inputs.github_username | semmle.label | inputs.github_username |
| .github/actions/action7/action.yml:215:41:215:66 | inputs.github_email | semmle.label | inputs.github_email |
| .github/actions/action7/action.yml:217:25:217:60 | github.head_ref \|\| github.ref | semmle.label | github.head_ref \|\| github.ref |
| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | semmle.label | input title |
| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | semmle.label | output Job outputs node [result] |
| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | semmle.label | steps.out.outputs.replaced |
@@ -364,6 +371,7 @@ nodes
| .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] |
| .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files |
| .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output |
| .github/workflows/inter-job5.yml:45:20:45:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output |
| .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | semmle.label | github.event.issue.title |
| .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | semmle.label | github.event.issue.title |
| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | semmle.label | github.event.issue.title |
@@ -649,6 +657,12 @@ subpaths
| .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result] | .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] |
| .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] |
#select
| .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} |
| .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} |
| .github/actions/action7/action.yml:77:15:77:36 | inputs.spelling | .github/actions/action7/action.yml:77:15:77:36 | inputs.spelling | .github/actions/action7/action.yml:77:15:77:36 | inputs.spelling | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action7/action.yml:77:15:77:36 | inputs.spelling | ${{ inputs.spelling }} |
| .github/actions/action7/action.yml:214:41:214:69 | inputs.github_username | .github/actions/action7/action.yml:214:41:214:69 | inputs.github_username | .github/actions/action7/action.yml:214:41:214:69 | inputs.github_username | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action7/action.yml:214:41:214:69 | inputs.github_username | ${{ inputs.github_username }} |
| .github/actions/action7/action.yml:215:41:215:66 | inputs.github_email | .github/actions/action7/action.yml:215:41:215:66 | inputs.github_email | .github/actions/action7/action.yml:215:41:215:66 | inputs.github_email | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action7/action.yml:215:41:215:66 | inputs.github_email | ${{ inputs.github_email }} |
| .github/actions/action7/action.yml:217:25:217:60 | github.head_ref \|\| github.ref | .github/actions/action7/action.yml:217:25:217:60 | github.head_ref \|\| github.ref | .github/actions/action7/action.yml:217:25:217:60 | github.head_ref \|\| github.ref | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action7/action.yml:217:25:217:60 | github.head_ref \|\| github.ref | ${{ github.head_ref \|\| github.ref }} |
| .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | ${{ steps.changed-files1.outputs.all_changed_files }} |
| .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | ${{ steps.changed-files3.outputs.all_changed_files }} |
| .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | ${{ steps.changed-files5.outputs.all_changed_files }} |
@@ -662,6 +676,7 @@ subpaths
| .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} |
| .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} |
| .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} |
| .github/workflows/inter-job5.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job5.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job5.yml:45:20:45:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job5.yml:45:20:45:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} |
| .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | ${{ github.event.commits[11].message }} |
| .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | ${{ github.event.commits[11].author.email }} |
| .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | ${{ github.event.commits[11].author.name }} |

4
ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected
View File

@@ -323,10 +323,6 @@ edges
| .github/workflows/workflow_run_untrusted_checkout_3.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_3.yml:16:9:18:31 | Uses Step |
#select
| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/artifactpoisoning91.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:28:9:29:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/artifactpoisoning91.yml:3:3:3:14 | workflow_run | workflow_run |
| .github/workflows/artifactpoisoning91.yml:29:9:29:27 | Run Step | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:29:9:29:27 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/artifactpoisoning91.yml:3:3:3:14 | workflow_run | workflow_run |
| .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | workflow_run |
| .github/workflows/artifactpoisoning92.yml:29:9:29:27 | Run Step | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:9:29:27 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | workflow_run |
| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
| .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |