hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-05 05:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #98 from github/improve_arginj

Browse Source 
improve arginj
This commit is contained in:
Alvaro Muñoz
2024-10-02 12:36:06 +02:00
committed by GitHub
parent ef37e3c594 531f3d40c0
commit cd1827e3c9
25 changed files with 440 additions and 129 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
ql/lib/codeql/actions/Ast.qll
View File

@@ -293,6 +293,10 @@ class Run extends Step instanceof RunImpl {
Expression getAnScriptExpr() { result = super.getAnScriptExpr() }
string getWorkingDirectory() { result = super.getWorkingDirectory() }
string getACommand() { result = super.getACommand() }
predicate getAnAssignment(string name, string value) { super.getAnAssignment(name, value) }
}
abstract class SimpleReferenceExpression extends AstNode instanceof SimpleReferenceExpressionImpl {

100
ql/lib/codeql/actions/Helper.qll
View File

@@ -54,7 +54,6 @@ predicate isBashParameterExpansion(string expr, string parameter, string operato
)
}
// TODO, the followinr test fails
bindingset[raw_content]
predicate extractVariableAndValue(string raw_content, string key, string value) {
exists(string regexp, string content | content = trimQuotes(raw_content) |
@@ -246,10 +245,6 @@ predicate inNonPrivilegedContext(AstNode node) {
not node.getEnclosingJob().isPrivilegedExternallyTriggerable(_)
}
string partialFileContentRegexp() {
result = ["cat\\s+", "jq\\s+", "yq\\s+", "tail\\s+", "head\\s+", "ls\\s+"]
}
bindingset[snippet]
predicate outputsPartialFileContent(string snippet) {
// e.g.
@@ -257,7 +252,7 @@ predicate outputsPartialFileContent(string snippet) {
// echo "FOO=$(<foo.txt)" >> $GITHUB_ENV
// yq '.foo' foo.yml >> $GITHUB_PATH
// cat foo.txt >> $GITHUB_PATH
snippet.regexpMatch(["(\\$\\(|`)<.*", ".*(\\b|^|\\s+)" + partialFileContentRegexp() + ".*"])
Bash::getACommand(snippet).indexOf(["<", Bash::partialFileContentCommand() + " "]) = 0
}
string defaultBranchNames() {
@@ -310,3 +305,96 @@ string normalizePath(string path) {
*/
bindingset[subpath, path]
predicate isSubpath(string subpath, string path) { subpath.substring(0, path.length()) = path }
module Bash {
string stmtSeparator() { result = ";" }
string commandSeparator() { result = ["&&", "||"] }
string pipeSeparator() { result = "|" }
string splitSeparators() {
result = stmtSeparator() or result = commandSeparator() or result = pipeSeparator()
}
string redirectionSeparator() { result = [">", ">>", "2>", "2>>", ">&", "2>&", "<", "<<<"] }
string partialFileContentCommand() { result = ["cat", "jq", "yq", "tail", "head"] }
bindingset[script]
string getACommand(string script) {
exists(string stmt_, string stmt, string subline2, string cmd |
stmt_ = script.regexpReplaceAll("\\\\\\s*\n", "").splitAt("\n") and
stmt =
[
// $() command substitution
stmt_
.regexpFind("\\$\\((?:[^()]+|\\((?:[^()]+|\\([^()]*\\))*\\))*\\)", _, _)
.regexpReplaceAll("^\\$\\(", "")
.regexpReplaceAll("\\)$", ""),
// `...` command substitution
stmt_
.regexpFind("\\`[^\\`]+\\`", _, _)
.regexpReplaceAll("^\\`", "")
.regexpReplaceAll("\\`$", ""),
// original line with no substitutions
stmt_
.regexpReplaceAll("\\`[^\\`]+\\`", "SUBCOMMAND")
.regexpReplaceAll("\\$\\((?:[^()]+|\\((?:[^()]+|\\([^()]*\\))*\\))*\\)", "SUBCOMMAND")
] and
// We shoulg replace quoted arguments with a placeholder to avoid splitting them
// eg: ls | grep -E "*.(tar.gz|zip)$"
//subline2 = subline.regexpReplaceAll("\"([^\"]+)\"", "$0").regexpReplaceAll("'([^']+)'", "$0") and
(
stmt.regexpMatch(".*\"([^\"]+)\".*") and
exists(int i |
subline2 =
stmt.replaceAll(stmt.regexpFind("\"([^\"]+)\"", _, i),
stmt.regexpFind("\"([^\"]+)\"", _, i)
.replaceAll("|", "::PIPE::")
.replaceAll(";", "::SEMICOLON::")
.replaceAll("&&", "::AND::")
.replaceAll("||", "::OR::"))
)
or
stmt.regexpMatch(".*'([^']+)'.*") and
exists(int i |
subline2 =
stmt.replaceAll(stmt.regexpFind("'([^']+)'", _, i),
stmt.regexpFind("'([^']+)'", _, i)
.replaceAll("|", "::PIPE::")
.replaceAll(";", "::SEMICOLON::")
.replaceAll("&&", "::AND::")
.replaceAll("||", "::OR::"))
)
or
not stmt.regexpMatch(".*'([^']+)'.*") and
not stmt.regexpMatch(".*\"([^\"]+)\".*") and
subline2 = stmt
) and
cmd = subline2.splitAt(splitSeparators()).trim() and
// when splitting the line with a separator that is not found, the result is the original line which may contain other separators
// we only one the split parts that do not contain any of the separators
not cmd.indexOf(splitSeparators()) > -1 and
not cmd =
[
"", "for", "in", "do", "done", "if", "then", "else", "elif", "fi", "while", "until",
"case", "esac", "{", "}"
] and
result =
cmd.replaceAll("::PIPE::", "|")
.replaceAll("::SEMICOLON::", ";")
.replaceAll("::AND::", "&&")
.replaceAll("::OR::", "||")
)
}
bindingset[script]
predicate getAnAssignment(string script, string name, string value) {
exists(string stmt |
stmt = script.regexpReplaceAll("\\\\\\s*\n", "").splitAt("\n").trim() and
name = stmt.regexpCapture("^([a-zA-Z0-9\\-_]+)=.*", 1) and
value = stmt.regexpCapture("^[a-zA-Z0-9\\-_]+=(.*)", 1)
)
}
}

17
ql/lib/codeql/actions/ast/internal/Ast.qll
View File

@@ -722,13 +722,10 @@ class EventImpl extends AstNodeImpl, TEventNode {
not this.getName() = "workflow_run"
or
this.getName() = "workflow_run" and
// workflow_run cannot be externally triggered if they triggering workflow runs in the context of the default branch
// since an attacker can change the triggering workflow from any event to `pull_request` to trigger the workflow
// but in that case, the triggering workflow will run in the context of the PR head branch
(
not exists(this.getAPropertyValue("branches")) or
this.getAPropertyValue("branches").matches("%*%")
)
// workflow_run cannot be externally triggered if the triggering workflow runs in the context of the default branch
// An attacker can change the triggering workflow from any event to `pull_request` to trigger the workflow
// in that case, the triggering workflow will run in the context of the PR head branch
not exists(this.getAPropertyValue("branches"))
or
// the event is `workflow_call` and there is a caller workflow that can be triggered externally
this.getName() = "workflow_call" and
@@ -1322,6 +1319,12 @@ class RunImpl extends StepImpl {
string getScript() { result = script.getValue().regexpReplaceAll("\\\\\\s*\n", "") }
string getACommand() { result = Bash::getACommand(this.getScript()) }
predicate getAnAssignment(string name, string value) {
Bash::getAnAssignment(this.getScript(), name, value)
}
ScalarValueImpl getScriptScalar() { result = TScalarValueNode(script) }
ExpressionImpl getAnScriptExpr() { result.getParentNode().getNode() = script }

14
ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll
View File

@@ -28,13 +28,13 @@ class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink {
)
or
exists(
Run run, string line, string argument, string regexp, int argument_group, int command_group
Run run, string cmd, string argument, string regexp, int argument_group, int command_group
|
run.getScript().splitAt("\n") = line and
run.getACommand() = cmd and
run.getScriptScalar() = this.asExpr() and
argumentInjectionSinksDataModel(regexp, command_group, argument_group) and
argument = line.regexpCapture(regexp, argument_group) and
command = line.regexpCapture(regexp, command_group) and
argument = cmd.regexpCapture(regexp, argument_group) and
command = cmd.regexpCapture(regexp, command_group) and
argument.regexpMatch(".*\\$(\\{)?(GITHUB_HEAD_REF).*")
)
}
@@ -60,12 +60,12 @@ private module ArgumentInjectionConfig implements DataFlow::ConfigSig {
source instanceof RemoteFlowSource
or
exists(
Run run, string argument, string line, string regexp, int command_group, int argument_group
Run run, string argument, string cmd, string regexp, int command_group, int argument_group
|
run.getScriptScalar() = source.asExpr() and
run.getScript().splitAt("\n") = line and
run.getACommand() = cmd and
argumentInjectionSinksDataModel(regexp, command_group, argument_group) and
argument = line.regexpCapture(regexp, argument_group) and
argument = cmd.regexpCapture(regexp, argument_group) and
argument.regexpMatch(".*\\$(\\{)?(GITHUB_HEAD_REF).*")
)
}

64
ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll
View File

@@ -155,71 +155,54 @@ class ActionsGitHubScriptDownloadStep extends UntrustedArtifactDownloadStep, Use
}
override string getPath() {
if
this.getAFollowingStep()
.(Run)
.getScript()
.splitAt("\n")
.regexpMatch(unzipRegexp() + unzipDirArgRegexp())
if this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp() + unzipDirArgRegexp())
then
result =
normalizePath(trimQuotes(this.getAFollowingStep()
.(Run)
.getScript()
.splitAt("\n")
.getACommand()
.regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2)))
else
if this.getAFollowingStep().(Run).getScript().splitAt("\n").regexpMatch(unzipRegexp())
if this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp())
then result = "GITHUB_WORKSPACE/"
else none()
}
}
class GHRunArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run {
string script;
GHRunArtifactDownloadStep() {
// eg: - run: gh run download ${{ github.event.workflow_run.id }} --repo "${GITHUB_REPOSITORY}" --name "artifact_name"
this.getScript() = script and
script.splitAt("\n").regexpMatch(".*gh\\s+run\\s+download.*") and
script.splitAt("\n").matches("%github.event.workflow_run.id%") and
this.getACommand().regexpMatch(".*gh\\s+run\\s+download.*") and
this.getACommand().matches("%github.event.workflow_run.id%") and
(
script.splitAt("\n").regexpMatch(unzipRegexp()) or
this.getAFollowingStep().(Run).getScript().splitAt("\n").regexpMatch(unzipRegexp())
this.getACommand().regexpMatch(unzipRegexp()) or
this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp())
)
}
override string getPath() {
if
this.getAFollowingStep()
.(Run)
.getScript()
.splitAt("\n")
.regexpMatch(unzipRegexp() + unzipDirArgRegexp()) or
script.splitAt("\n").regexpMatch(unzipRegexp() + unzipDirArgRegexp())
this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp() + unzipDirArgRegexp()) or
this.getACommand().regexpMatch(unzipRegexp() + unzipDirArgRegexp())
then
result =
normalizePath(trimQuotes(script
.splitAt("\n")
normalizePath(trimQuotes(this.getACommand()
.regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) or
result =
normalizePath(trimQuotes(this.getAFollowingStep()
.(Run)
.getScript()
.splitAt("\n")
.getACommand()
.regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2)))
else
if
this.getAFollowingStep().(Run).getScript().splitAt("\n").regexpMatch(unzipRegexp()) or
script.splitAt("\n").regexpMatch(unzipRegexp())
this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp()) or
this.getACommand().regexpMatch(unzipRegexp())
then result = "GITHUB_WORKSPACE/"
else none()
}
}
class DirectArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run {
string script;
DirectArtifactDownloadStep() {
// eg:
// run: |
@@ -230,32 +213,25 @@ class DirectArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run {
// gh api $url > "$name.zip"
// unzip -d "$name" "$name.zip"
// done
this.getScript() = script and
script.splitAt("\n").matches("%github.event.workflow_run.artifacts_url%") and
this.getACommand().matches("%github.event.workflow_run.artifacts_url%") and
(
script.splitAt("\n").regexpMatch(unzipRegexp()) or
this.getAFollowingStep().(Run).getScript().splitAt("\n").regexpMatch(unzipRegexp())
this.getACommand().regexpMatch(unzipRegexp()) or
this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp())
)
}
override string getPath() {
if
script.splitAt("\n").regexpMatch(unzipRegexp() + unzipDirArgRegexp()) or
this.getAFollowingStep()
.(Run)
.getScript()
.splitAt("\n")
.regexpMatch(unzipRegexp() + unzipDirArgRegexp())
this.getACommand().regexpMatch(unzipRegexp() + unzipDirArgRegexp()) or
this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp() + unzipDirArgRegexp())
then
result =
normalizePath(trimQuotes(script
.splitAt("\n")
normalizePath(trimQuotes(this.getACommand()
.regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) or
result =
normalizePath(trimQuotes(this.getAFollowingStep()
.(Run)
.getScript()
.splitAt("\n")
.getACommand()
.regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2)))
else result = "GITHUB_WORKSPACE/"
}

11
ql/lib/codeql/actions/security/ControlChecks.qll
View File

@@ -255,10 +255,13 @@ class PermissionActionCheck extends PermissionCheck instanceof UsesStep {
class BashCommentVsHeadDateCheck extends CommentVsHeadDateCheck, Run {
BashCommentVsHeadDateCheck() {
exists(string line |
line = this.getScript().splitAt("\n") and
line.toLowerCase()
.regexpMatch(".*date\\s+-d.*(commit_at|pushed_at|comment_at|commented_at).*date\\s+-d.*(commit_at|pushed_at|comment_at|commented_at).*")
// eg: if [[ $(date -d "$pushed_at" +%s) -gt $(date -d "$COMMENT_AT" +%s) ]]; then
exists(string cmd1, string cmd2 |
cmd1 = this.getACommand() and
cmd2 = this.getACommand() and
not cmd1 = cmd2 and
cmd1.toLowerCase().regexpMatch("date\\s+-d.*(commit|pushed|comment|commented)_at.*") and
cmd2.toLowerCase().regexpMatch("date\\s+-d.*(commit|pushed|comment|commented)_at.*")
)
}
}

7
ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll
View File

@@ -37,11 +37,8 @@ class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink {
// e.g.
// FOO=$(cat test-results/sha-number)
// echo "FOO=$FOO" >> $GITHUB_PATH
exists(string line, string var_name, string var_value |
run.getScript().splitAt("\n") = line
|
var_name = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 1) and
var_value = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 2) and
exists(string var_name, string var_value |
run.getAnAssignment(var_name, var_value) and
outputsPartialFileContent(var_value) and
(
value.matches("%$" + ["", "{", "ENV{"] + var_name + "%")

7
ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll
View File

@@ -42,11 +42,8 @@ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink {
// e.g.
// FOO=$(cat test-results/sha-number)
// echo "FOO=$FOO" >> $GITHUB_ENV
exists(string line, string var_name, string var_value |
run.getScript().splitAt("\n") = line
|
var_name = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 1) and
var_value = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 2) and
exists(string var_name, string var_value |
run.getAnAssignment(var_name, var_value) and
outputsPartialFileContent(var_value) and
(
value.matches("%$" + ["", "{", "ENV{"] + var_name + "%")

11
ql/lib/codeql/actions/security/OutputClobberingQuery.qll
View File

@@ -56,11 +56,8 @@ class OutputClobberingFromFileReadSink extends OutputClobberingSink {
// e.g.
// FOO=$(cat test-results/sha-number)
// echo "FOO=$FOO" >> $GITHUB_OUTPUT
exists(string line, string var_name, string var_value |
run.getScript().splitAt("\n") = line
|
var_name = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 1) and
var_value = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 2) and
exists(string var_name, string var_value |
run.getAnAssignment(var_name, var_value) and
outputsPartialFileContent(var_value) and
(
value.matches("%$" + ["", "{", "ENV{"] + var_name + "%")
@@ -154,11 +151,11 @@ class WorkflowCommandClobberingFromFileReadSink extends OutputClobberingSink {
// A file is read and its content is printed to stdout
// - run: echo "foo=$(<pr-id.txt)"
clobbering_line.regexpMatch(".*echo\\s+(-e)?\\s*(\"|')?") and
clobbering_line.regexpMatch(partialFileContentRegexp() + ".*")
clobbering_line.regexpMatch(["ls", Bash::partialFileContentCommand()] + "\\s.*")
or
// A file content is printed to stdout
// - run: cat pr-id.txt
clobbering_line.regexpMatch(partialFileContentRegexp() + ".*")
clobbering_line.regexpMatch(["ls", Bash::partialFileContentCommand()] + "\\s.*")
)
)
}

8
ql/lib/codeql/actions/security/PoisonableSteps.qll
View File

@@ -18,7 +18,7 @@ class PoisonableCommandStep extends PoisonableStep, Run {
PoisonableCommandStep() {
exists(string regexp |
poisonableCommandsDataModel(regexp) and
exists(this.getScript().splitAt("\n").trim().regexpFind(regexp, _, _))
exists(this.getACommand().regexpFind(regexp, _, _))
)
}
}
@@ -39,11 +39,9 @@ class LocalScriptExecutionRunStep extends PoisonableStep, Run {
string path;
LocalScriptExecutionRunStep() {
exists(string line, string regexp, int path_group |
line = this.getScript().splitAt("\n").trim()
|
exists(string cmd, string regexp, int path_group | cmd = this.getACommand() |
poisonableLocalScriptsDataModel(regexp, path_group) and
path = line.regexpCapture(regexp, path_group)
path = cmd.regexpCapture(regexp, path_group)
)
}

36
ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll
View File

@@ -265,11 +265,10 @@ class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep {
/** Checkout of a Pull Request HEAD ref using git within a Run step */
class GitMutableRefCheckout extends MutableRefCheckoutStep instanceof Run {
GitMutableRefCheckout() {
exists(string line |
this.getScript().splitAt("\n") = line and
line.regexpMatch(".*git\\s+(fetch|pull).*") and
exists(string cmd | this.getACommand() = cmd |
cmd.regexpMatch("git\\s+(fetch|pull).*") and
(
(containsHeadRef(line) or containsPullRequestNumber(line))
(containsHeadRef(cmd) or containsPullRequestNumber(cmd))
or
exists(string varname, string expr |
expr = this.getInScopeEnvVarExpr(varname).getExpression() and
@@ -277,7 +276,7 @@ class GitMutableRefCheckout extends MutableRefCheckoutStep instanceof Run {
containsHeadRef(expr) or
containsPullRequestNumber(expr)
) and
exists(line.regexpFind(varname, _, _))
exists(cmd.regexpFind(varname, _, _))
)
)
)
@@ -289,16 +288,15 @@ class GitMutableRefCheckout extends MutableRefCheckoutStep instanceof Run {
/** Checkout of a Pull Request HEAD ref using git within a Run step */
class GitSHACheckout extends SHACheckoutStep instanceof Run {
GitSHACheckout() {
exists(string line |
this.getScript().splitAt("\n") = line and
line.regexpMatch(".*git\\s+(fetch|pull).*") and
exists(string cmd | this.getACommand() = cmd |
cmd.regexpMatch("git\\s+(fetch|pull).*") and
(
containsHeadSHA(line)
containsHeadSHA(cmd)
or
exists(string varname, string expr |
expr = this.getInScopeEnvVarExpr(varname).getExpression() and
containsHeadSHA(expr) and
exists(line.regexpFind(varname, _, _))
exists(cmd.regexpFind(varname, _, _))
)
)
)
@@ -310,18 +308,17 @@ class GitSHACheckout extends SHACheckoutStep instanceof Run {
/** Checkout of a Pull Request HEAD ref using gh within a Run step */
class GhMutableRefCheckout extends MutableRefCheckoutStep instanceof Run {
GhMutableRefCheckout() {
exists(string line |
this.getScript().splitAt("\n") = line and
line.regexpMatch(".*(gh|hub)\\s+pr\\s+checkout.*") and
exists(string cmd | this.getACommand() = cmd |
cmd.regexpMatch(".*(gh|hub)\\s+pr\\s+checkout.*") and
(
(containsHeadRef(line) or containsPullRequestNumber(line))
(containsHeadRef(cmd) or containsPullRequestNumber(cmd))
or
exists(string varname |
(
containsHeadRef(this.getInScopeEnvVarExpr(varname).getExpression()) or
containsPullRequestNumber(this.getInScopeEnvVarExpr(varname).getExpression())
) and
exists(line.regexpFind(varname, _, _))
exists(cmd.regexpFind(varname, _, _))
)
)
)
@@ -333,15 +330,14 @@ class GhMutableRefCheckout extends MutableRefCheckoutStep instanceof Run {
/** Checkout of a Pull Request HEAD ref using gh within a Run step */
class GhSHACheckout extends SHACheckoutStep instanceof Run {
GhSHACheckout() {
exists(string line |
this.getScript().splitAt("\n") = line and
line.regexpMatch(".*gh\\s+pr\\s+checkout.*") and
exists(string cmd | this.getACommand() = cmd |
cmd.regexpMatch("gh\\s+pr\\s+checkout.*") and
(
containsHeadSHA(line)
containsHeadSHA(cmd)
or
exists(string varname |
containsHeadSHA(this.getInScopeEnvVarExpr(varname).getExpression()) and
exists(line.regexpFind(varname, _, _))
exists(cmd.regexpFind(varname, _, _))
)
)
)

11
ql/lib/ext/config/argument_injection_sinks.yml
View File

@@ -3,7 +3,14 @@ extensions:
pack: github/actions-all
extensible: argumentInjectionSinksDataModel
# https://gtfobins.github.io/
# https://0xn3va.gitbook.io/cheat-sheets/web-application/command-injection/argument-injection
data:
- ["(awk)(.*?)", 2, 3]
- ["(sed)(.*?)", 2, 3]
- ["(awk)\\s(.*?)", 2, 3]
- ["(curl)\\s(.*?)", 2, 3]
- ["(find)\\s(.*?)", 2, 3]
- ["(git)\\s(.*?)", 2, 3]
- ["(sed)\\s(.*?)", 2, 3]
- ["(tar)\\s(.*?)", 2, 3]
- ["(wget)\\s(.*?)", 2, 3]
- ["(zip)\\s(.*?)", 2, 3]

1
ql/lib/ext/config/poisonable_steps.yml
View File

@@ -19,6 +19,7 @@ extensions:
- ["asv"]
- ["awk\\s+-f"]
- ["bundle"]
- ["bun"]
- ["cargo"]
- ["checkov"]
- ["eslint"]

21
ql/test/library-tests/.github/workflows/commands.yml vendored Normal file
View File

@@ -0,0 +1,21 @@
on: push
jobs:
local_commands:
runs-on: ubuntu-latest
steps:
- run: |
command1 ; command2
- run: |
command3 | command4
- run: |
command5 "$(command6)"
- run: |
command7 && command8
- run: |
command9 || command10
- run: |
command11 "`command12`"
- run: |
command13 "`command14` $(date | wc -l)"

206
ql/test/library-tests/commands.expected Normal file
View File

@@ -0,0 +1,206 @@
| .github/workflows/commands.yml:7:9:9:6 | Run Step | command1 |
| .github/workflows/commands.yml:7:9:9:6 | Run Step | command2 |
| .github/workflows/commands.yml:9:9:11:6 | Run Step | command3 |
| .github/workflows/commands.yml:9:9:11:6 | Run Step | command4 |
| .github/workflows/commands.yml:11:9:13:6 | Run Step | command5 "SUBCOMMAND" |
| .github/workflows/commands.yml:11:9:13:6 | Run Step | command6 |
| .github/workflows/commands.yml:13:9:15:6 | Run Step | command7 |
| .github/workflows/commands.yml:13:9:15:6 | Run Step | command8 |
| .github/workflows/commands.yml:15:9:17:6 | Run Step | command9 |
| .github/workflows/commands.yml:15:9:17:6 | Run Step | command10 |
| .github/workflows/commands.yml:17:9:19:6 | Run Step | command11 "SUBCOMMAND" |
| .github/workflows/commands.yml:17:9:19:6 | Run Step | command12 |
| .github/workflows/commands.yml:19:9:20:50 | Run Step | command13 "SUBCOMMAND SUBCOMMAND" |
| .github/workflows/commands.yml:19:9:20:50 | Run Step | command14 |
| .github/workflows/commands.yml:19:9:20:50 | Run Step | date |
| .github/workflows/commands.yml:19:9:20:50 | Run Step | wc -l |
| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | LINE 1echo '${{ github.event.comment.body }}' |
| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' |
| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' |
| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | LINE 2 echo '${{github.event.issue.body}}' |
| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' |
| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' |
| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 2 echo '${{github.event.issue.body}}' |
| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 3 echo '${{ github.event.comment.body }}' |
| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' |
| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | echo "CHANGELOGEOF" |
| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | echo "changelog<<CHANGELOGEOF" |
| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | echo -e "$FILTERED_CHANGELOG" |
| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | tee -a $GITHUB_OUTPUT |
| .github/workflows/multiline2.yml:15:9:20:6 | Run Step | EOF=SUBCOMMAND |
| .github/workflows/multiline2.yml:15:9:20:6 | Run Step | base64 |
| .github/workflows/multiline2.yml:15:9:20:6 | Run Step | cat status.output.json |
| .github/workflows/multiline2.yml:15:9:20:6 | Run Step | dd if=/dev/urandom bs=15 count=1 status=none |
| .github/workflows/multiline2.yml:15:9:20:6 | Run Step | echo "$EOF" |
| .github/workflows/multiline2.yml:15:9:20:6 | Run Step | echo "SUBCOMMAND" |
| .github/workflows/multiline2.yml:15:9:20:6 | Run Step | echo "status<<$EOF" |
| .github/workflows/multiline2.yml:15:9:20:6 | Run Step | tee -a $GITHUB_OUTPUT |
| .github/workflows/multiline2.yml:20:9:24:6 | Run Step | echo "$EOF" |
| .github/workflows/multiline2.yml:20:9:24:6 | Run Step | echo "response<<$EOF" |
| .github/workflows/multiline2.yml:20:9:24:6 | Run Step | echo $output |
| .github/workflows/multiline2.yml:20:9:24:6 | Run Step | tee -a $GITHUB_OUTPUT |
| .github/workflows/multiline2.yml:24:9:30:6 | Run Step | echo 'JSON_RESPONSE<<EOF' |
| .github/workflows/multiline2.yml:24:9:30:6 | Run Step | echo EOF |
| .github/workflows/multiline2.yml:24:9:30:6 | Run Step | grep -E "*.(tar.gz\|zip)$" |
| .github/workflows/multiline2.yml:24:9:30:6 | Run Step | ls |
| .github/workflows/multiline2.yml:24:9:30:6 | Run Step | tee -a "$GITHUB_ENV" |
| .github/workflows/multiline2.yml:30:9:34:6 | Run Step | ${{ toJson(github.event) }} |
| .github/workflows/multiline2.yml:30:9:34:6 | Run Step | EOF |
| .github/workflows/multiline2.yml:30:9:34:6 | Run Step | cat <<-"EOF" > event.json |
| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | ${ISSUE_BODY} |
| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | EOL |
| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | FOO |
| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | cat |
| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | tee -a $GITHUB_ENV << EOL |
| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | ${ISSUE_BODY} |
| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | EOL |
| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | FOO |
| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | cat > issue.txt << EOL |
| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | ${ISSUE_BODY} |
| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | EOL |
| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | FOO |
| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | cat << EOL |
| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | tee -a $GITHUB_ENV |
| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | EOF |
| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | Hello |
| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | World |
| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | cat <<EOF |
| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | sed 's/l/e/g' > file.txt |
| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | EOF |
| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | cat <<-EOF |
| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | echo "FOO=$TITLE" |
| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | tee -a "$GITHUB_ENV" |
| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | cat issue.txt |
| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | echo REPO_NAME=SUBCOMMAND |
| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' |
| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | sed 's/\\\\r/\\\\n/g' |
| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | tee -a $GITHUB_ENV |
| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | tr -d ' ' |
| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | echo "$TITLE" |
| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | echo "EOF" |
| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | echo "PR_TITLE<<EOF" |
| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | tee -a $GITHUB_ENV |
| .github/workflows/multiline2.yml:71:9:78:6 | Run Step | echo "$TITLE" |
| .github/workflows/multiline2.yml:71:9:78:6 | Run Step | echo 'JSON_RESPONSE<<EOF' |
| .github/workflows/multiline2.yml:71:9:78:6 | Run Step | echo EOF |
| .github/workflows/multiline2.yml:71:9:78:6 | Run Step | tee -a "$GITHUB_ENV" |
| .github/workflows/multiline2.yml:78:9:85:6 | Run Step | echo '$ISSUE' |
| .github/workflows/multiline2.yml:78:9:85:6 | Run Step | echo 'EOF' |
| .github/workflows/multiline2.yml:78:9:85:6 | Run Step | echo 'JSON_RESPONSE<<EOF' |
| .github/workflows/multiline2.yml:78:9:85:6 | Run Step | tee -a "$GITHUB_ENV" |
| .github/workflows/multiline2.yml:85:9:89:35 | Run Step | echo 'JSON_RESPONSE<<EOF' |
| .github/workflows/multiline2.yml:85:9:89:35 | Run Step | tee -a "$GITHUB_ENV" |
| .github/workflows/multiline.yml:11:9:15:6 | Run Step | echo "CHANGELOGEOF" >> $GITHUB_OUTPUT |
| .github/workflows/multiline.yml:11:9:15:6 | Run Step | echo "changelog<<CHANGELOGEOF" >> $GITHUB_OUTPUT |
| .github/workflows/multiline.yml:11:9:15:6 | Run Step | echo -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT |
| .github/workflows/multiline.yml:15:9:20:6 | Run Step | EOF=SUBCOMMAND |
| .github/workflows/multiline.yml:15:9:20:6 | Run Step | base64 |
| .github/workflows/multiline.yml:15:9:20:6 | Run Step | cat status.output.json |
| .github/workflows/multiline.yml:15:9:20:6 | Run Step | dd if=/dev/urandom bs=15 count=1 status=none |
| .github/workflows/multiline.yml:15:9:20:6 | Run Step | echo "$EOF" >> $GITHUB_OUTPUT |
| .github/workflows/multiline.yml:15:9:20:6 | Run Step | echo "SUBCOMMAND" >> $GITHUB_OUTPUT |
| .github/workflows/multiline.yml:15:9:20:6 | Run Step | echo "status<<$EOF" >> $GITHUB_OUTPUT |
| .github/workflows/multiline.yml:20:9:24:6 | Run Step | echo "$EOF" >> $GITHUB_OUTPUT |
| .github/workflows/multiline.yml:20:9:24:6 | Run Step | echo "response<<$EOF" >> $GITHUB_OUTPUT |
| .github/workflows/multiline.yml:20:9:24:6 | Run Step | echo $output >> $GITHUB_OUTPUT |
| .github/workflows/multiline.yml:24:9:30:6 | Run Step | echo 'JSON_RESPONSE<<EOF' |
| .github/workflows/multiline.yml:24:9:30:6 | Run Step | echo EOF |
| .github/workflows/multiline.yml:24:9:30:6 | Run Step | grep -E "*.(tar.gz\|zip)$" |
| .github/workflows/multiline.yml:24:9:30:6 | Run Step | ls |
| .github/workflows/multiline.yml:24:9:30:6 | Run Step | } >> "$GITHUB_ENV" |
| .github/workflows/multiline.yml:30:9:34:6 | Run Step | ${{ toJson(github.event) }} |
| .github/workflows/multiline.yml:30:9:34:6 | Run Step | EOF |
| .github/workflows/multiline.yml:30:9:34:6 | Run Step | cat <<-"EOF" > event.json |
| .github/workflows/multiline.yml:34:9:40:6 | Run Step | ${ISSUE_BODY} |
| .github/workflows/multiline.yml:34:9:40:6 | Run Step | EOL |
| .github/workflows/multiline.yml:34:9:40:6 | Run Step | FOO |
| .github/workflows/multiline.yml:34:9:40:6 | Run Step | cat >> $GITHUB_ENV << EOL |
| .github/workflows/multiline.yml:40:9:46:6 | Run Step | ${ISSUE_BODY} |
| .github/workflows/multiline.yml:40:9:46:6 | Run Step | EOL |
| .github/workflows/multiline.yml:40:9:46:6 | Run Step | FOO |
| .github/workflows/multiline.yml:40:9:46:6 | Run Step | cat > issue.txt << EOL |
| .github/workflows/multiline.yml:46:9:52:6 | Run Step | ${ISSUE_BODY} |
| .github/workflows/multiline.yml:46:9:52:6 | Run Step | EOL |
| .github/workflows/multiline.yml:46:9:52:6 | Run Step | FOO |
| .github/workflows/multiline.yml:46:9:52:6 | Run Step | cat << EOL >> $GITHUB_ENV |
| .github/workflows/multiline.yml:52:9:58:6 | Run Step | EOF |
| .github/workflows/multiline.yml:52:9:58:6 | Run Step | Hello |
| .github/workflows/multiline.yml:52:9:58:6 | Run Step | World |
| .github/workflows/multiline.yml:52:9:58:6 | Run Step | cat <<EOF |
| .github/workflows/multiline.yml:52:9:58:6 | Run Step | sed 's/l/e/g' > file.txt |
| .github/workflows/multiline.yml:58:9:63:6 | Run Step | EOF |
| .github/workflows/multiline.yml:58:9:63:6 | Run Step | cat <<-EOF >> "$GITHUB_ENV" |
| .github/workflows/multiline.yml:58:9:63:6 | Run Step | echo "FOO=$TITLE" |
| .github/workflows/multiline.yml:63:9:66:6 | Run Step | cat issue.txt |
| .github/workflows/multiline.yml:63:9:66:6 | Run Step | echo REPO_NAME=SUBCOMMAND >> $GITHUB_ENV |
| .github/workflows/multiline.yml:63:9:66:6 | Run Step | grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' |
| .github/workflows/multiline.yml:63:9:66:6 | Run Step | sed 's/\\\\r/\\\\n/g' |
| .github/workflows/multiline.yml:63:9:66:6 | Run Step | tr -d ' ' |
| .github/workflows/multiline.yml:66:9:71:6 | Run Step | echo "$TITLE" >> $GITHUB_ENV |
| .github/workflows/multiline.yml:66:9:71:6 | Run Step | echo "EOF" >> $GITHUB_ENV |
| .github/workflows/multiline.yml:66:9:71:6 | Run Step | echo "PR_TITLE<<EOF" >> $GITHUB_ENV |
| .github/workflows/multiline.yml:71:9:78:6 | Run Step | echo "$TITLE" |
| .github/workflows/multiline.yml:71:9:78:6 | Run Step | echo 'JSON_RESPONSE<<EOF' |
| .github/workflows/multiline.yml:71:9:78:6 | Run Step | echo EOF |
| .github/workflows/multiline.yml:71:9:78:6 | Run Step | } >> "$GITHUB_ENV" |
| .github/workflows/multiline.yml:78:9:85:6 | Run Step | echo '$ISSUE' |
| .github/workflows/multiline.yml:78:9:85:6 | Run Step | echo 'EOF' |
| .github/workflows/multiline.yml:78:9:85:6 | Run Step | echo 'JSON_RESPONSE<<EOF' |
| .github/workflows/multiline.yml:78:9:85:6 | Run Step | } >> "$GITHUB_ENV" |
| .github/workflows/multiline.yml:85:9:89:29 | Run Step | echo 'JSON_RESPONSE<<EOF' |
| .github/workflows/multiline.yml:85:9:89:29 | Run Step | } >> "$GITHUB_ENV" |
| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | venv/bin/activate |
| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | . venv/bin/activate |
| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | . venv/bin/activate |
| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | echo foo |
| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | . venv/bin/activate |
| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | echo foo |
| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | . venv/bin/activate |
| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | echo foo |
| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | ./venv/bin/activate |
| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | sh venv/bin/activate.sh |
| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | echo SUBCOMMAND |
| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | sh venv/bin/activate.sh |
| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | echo bar |
| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | echo foo |
| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | sh venv/bin/activate.sh |
| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | echo foo |
| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | sh venv/bin/activate.sh > output |
| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | python venv/bin/activate.py |
| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | echo foo |
| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | python venv/bin/activate.py |
| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | pnpm run test:ct |
| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | pip install nbformat |
| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | python scripts/generate_notebooks.py |
| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | python scripts/generate_theme.py --outfile js/storybook/theme.css |
| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css |
| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css |
| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | xvfb-run ./mvnw clean package |
| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | echo "bar" |
| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | echo "foo" |
| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | npm i |
| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | echo "bar" |
| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | echo "foo" |
| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | npm i |
| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | echo "bar" |
| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | echo "foo" |
| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | npm i |
| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | echo "foo SUBCOMMAND bar" |
| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | npm i |
| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | dotnet test foo/Tests.csproj -c Release |
| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | go run foo.go |
| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | " config.json |
| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | git_branch = .* |
| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json |
| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | sed -i "s |
| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\" |
| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | sed -f ./config.sed file.txt > foo.txt |
| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | sed -f config file.txt > foo.txt |
| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | awk -f ./config.awk > foo.txt |
| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | echo "foo" |
| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo |
| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | ./foo/cmd |
| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | sed -e 's#<branch_to_sync>#TITLE#' -e 's#<sot_repo>#${{ env.sot_repo }}#' -e 's#<destination_repo>#${TITLE}#' .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky |
| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} |
| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | ${{ github.event.pull_request.head.ref }} |
| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | echo ${{needs.job1.outputs.job_output}} |

4
ql/test/library-tests/commands.ql Normal file
View File

@@ -0,0 +1,4 @@
import actions
from Run run
select run, run.getACommand()

2
ql/test/library-tests/poisonable_steps.expected
View File

@@ -1,6 +1,4 @@
| .github/workflows/multiline2.yml:24:9:30:6 | Run Step |
| .github/workflows/multiline2.yml:63:9:66:6 | Run Step |
| .github/workflows/multiline.yml:24:9:30:6 | Run Step |
| .github/workflows/multiline.yml:63:9:66:6 | Run Step |
| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step |
| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step |

13
ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches5.yml vendored Normal file
View File

@@ -0,0 +1,13 @@
name: Self-hosted runner (AMD mi250 CI caller)
on:
workflow_run:
workflows: ["Test"]
branches-ignore: ["foo"]
types: [completed]
jobs:
test:
runs-on: ubuntu-latest
steps:
- run: echo ${{ github.event.workflow_run.head_branch }}

3
ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected
View File

@@ -447,6 +447,7 @@ nodes
| .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
| .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
| .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
| .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
subpaths
| .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result] | .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] |
| .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] |
@@ -566,4 +567,4 @@ subpaths
| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} |
| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | ${{ github.event.workflow_run.head_repository.description }} |
| .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} |
| .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} |
| .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} |

2
ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected
View File

@@ -447,6 +447,7 @@ nodes
| .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
| .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
| .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
| .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
subpaths
| .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result] | .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] |
| .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] |
@@ -490,3 +491,4 @@ subpaths
| .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} |
| .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} |
| .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} |
| .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} |

3
ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning52.yml vendored
View File

@@ -18,8 +18,7 @@ jobs:
- name: Env Var Injection
run: |
echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"
ls | grep -E "*.(tar.gz|zip)$" >> "${GITHUB_ENV}"
ls | grep -E "*.(txt|md)$" >> "${GITHUB_ENV}"
cat foo >> "$GITHUB_ENV"
echo "EOF" >> "${GITHUB_ENV}"

2
ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning53.yml vendored
View File

@@ -18,7 +18,7 @@ jobs:
- run: |
{
echo 'JSON_RESPONSE<<EOF'
ls | grep -E "*.(tar.gz|zip)$"
cat foo
echo EOF
} >> "$GITHUB_ENV"

12
ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected
View File

@@ -13,8 +13,8 @@ edges
| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | provenance | |
| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | provenance | |
| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | |
| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | |
| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<<EOF'\n ls \| grep -E "*.(tar.gz\|zip)$"\n echo EOF\n} >> "$GITHUB_ENV"\n | provenance | |
| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | |
| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<<EOF'\n cat foo\n echo EOF\n} >> "$GITHUB_ENV"\n | provenance | |
| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | |
| .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | |
| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | provenance | |
@@ -44,9 +44,9 @@ nodes
| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | semmle.label | Run Step |
| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | semmle.label | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n |
| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | semmle.label | Run Step |
| .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n |
| .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n |
| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | semmle.label | Run Step |
| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<<EOF'\n ls \| grep -E "*.(tar.gz\|zip)$"\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<<EOF'\n ls \| grep -E "*.(tar.gz\|zip)$"\n echo EOF\n} >> "$GITHUB_ENV"\n |
| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<<EOF'\n cat foo\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<<EOF'\n cat foo\n echo EOF\n} >> "$GITHUB_ENV"\n |
| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n |
| .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | semmle.label | Uses Step |
@@ -67,8 +67,8 @@ subpaths
| .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | ./foo/cmd |
| .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | ./cmd |
| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n |
| .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n |
| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<<EOF'\n ls \| grep -E "*.(tar.gz\|zip)$"\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<<EOF'\n ls \| grep -E "*.(tar.gz\|zip)$"\n echo EOF\n} >> "$GITHUB_ENV"\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<<EOF'\n ls \| grep -E "*.(tar.gz\|zip)$"\n echo EOF\n} >> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<<EOF'\n ls \| grep -E "*.(tar.gz\|zip)$"\n echo EOF\n} >> "$GITHUB_ENV"\n |
| .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n |
| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<<EOF'\n cat foo\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<<EOF'\n cat foo\n echo EOF\n} >> "$GITHUB_ENV"\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<<EOF'\n cat foo\n echo EOF\n} >> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<<EOF'\n cat foo\n echo EOF\n} >> "$GITHUB_ENV"\n |
| .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | sed -f config foo.md > bar.md\n |
| .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | python test.py |
| .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Uses Step |

8
ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected
View File

@@ -13,8 +13,8 @@ edges
| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | provenance | |
| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | provenance | |
| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | |
| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | |
| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<<EOF'\n ls \| grep -E "*.(tar.gz\|zip)$"\n echo EOF\n} >> "$GITHUB_ENV"\n | provenance | |
| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | |
| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<<EOF'\n cat foo\n echo EOF\n} >> "$GITHUB_ENV"\n | provenance | |
| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | |
| .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | |
| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | provenance | |
@@ -44,9 +44,9 @@ nodes
| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | semmle.label | Run Step |
| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | semmle.label | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n |
| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | semmle.label | Run Step |
| .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n |
| .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n |
| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | semmle.label | Run Step |
| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<<EOF'\n ls \| grep -E "*.(tar.gz\|zip)$"\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<<EOF'\n ls \| grep -E "*.(tar.gz\|zip)$"\n echo EOF\n} >> "$GITHUB_ENV"\n |
| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<<EOF'\n cat foo\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<<EOF'\n cat foo\n echo EOF\n} >> "$GITHUB_ENV"\n |
| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n |
| .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | semmle.label | Uses Step |

2
ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected
View File

@@ -31,7 +31,7 @@ edges
| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:15:9:18:6 | Run Step |
| .github/workflows/artifactpoisoning51.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step |
| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:15:9:18:6 | Run Step |
| .github/workflows/artifactpoisoning52.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning52.yml:18:9:23:40 | Run Step |
| .github/workflows/artifactpoisoning52.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning52.yml:18:9:22:40 | Run Step |
| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:15:9:18:6 | Run Step |
| .github/workflows/artifactpoisoning53.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:9:23:29 | Run Step |
| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:16:9:18:40 | Run Step |