hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-01 03:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge Actions queries from github/codeql-actions

Browse Source
This commit is contained in:
Dave Bartolomeo
2024-12-18 14:39:43 -05:00
parent 023f48ff1c ee7680df84
commit dbc1fa6450
1310 changed files with 38329 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
actions/ql/test/codeql-pack.lock.yml Normal file
View File

@@ -0,0 +1,28 @@
---
lockVersion: 1.0.0
dependencies:
codeql/controlflow:
version: 1.0.12
codeql/dataflow:
version: 1.1.6
codeql/javascript-all:
version: 2.1.1
codeql/mad:
version: 1.0.12
codeql/regex:
version: 1.0.12
codeql/ssa:
version: 1.0.12
codeql/threat-models:
version: 1.0.12
codeql/tutorial:
version: 1.0.12
codeql/typetracking:
version: 1.0.12
codeql/util:
version: 1.0.12
codeql/xml:
version: 1.0.12
codeql/yaml:
version: 1.0.12
compiled: false

39
actions/ql/test/library-tests/.github/workflows/commands.yml vendored Normal file
View File

@@ -0,0 +1,39 @@
on: push
defaults:
run:
shell: bash -wkf
jobs:
local_commands:
runs-on: ubuntu-latest
defaults:
run:
shell: bash -job
steps:
- shell: bash -step
run: |
command1 ; command2
- run: |
command3 | command4
- run: |
command5 "$(command6)"
- run: |
command7 && command8
- run: |
command9 || command10
- run: |
command11 "`command12`"
- run: |
command13 "`command14` $(date | wc -l)"
local_commands2:
runs-on: ubuntu-latest
steps:
- shell: bash -step
run: |
command1 ; command2
- shell: pwsh
run: |
command3 | command4

22
actions/ql/test/library-tests/.github/workflows/expression_nodes.yml vendored Normal file
View File

@@ -0,0 +1,22 @@
on: issue_comment
jobs:
echo-chamber:
runs-on: ubuntu-latest
steps:
- run: LINE 1echo '${{ github.event.comment.body }}'
- run: |
LINE 1 echo '${{ github.event.comment.body }}'
- run: |
LINE 1 echo '${{ github.event.comment.body }}'
LINE 2 echo '${{github.event.issue.body}}'
- run: >
LINE 1 echo '${{ github.event.comment.body }}'
echo '${{github.event.issue.body}}'
- run: |
LINE 1 echo '${{ github.event.comment.body }}'
LINE 2 echo '${{github.event.issue.body}}'
LINE 3 echo '${{ github.event.comment.body }}'
- run: "LINE 1 echo '${{ github.event.comment.body }}'
echo '${{github.event.issue.body}}'"

89
actions/ql/test/library-tests/.github/workflows/multiline.yml vendored Normal file
View File

@@ -0,0 +1,89 @@
on:
workflow_run:
workflows: ["Prev"]
types:
- completed
jobs:
Test:
runs-on: ubuntu-latest
steps:
- run: |
echo "changelog<<CHANGELOGEOF" >> $GITHUB_OUTPUT
echo -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT
echo "CHANGELOGEOF" >> $GITHUB_OUTPUT
- run: |
EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
echo "status<<$EOF" >> $GITHUB_OUTPUT
echo "$(cat status.output.json)" >> $GITHUB_OUTPUT
echo "$EOF" >> $GITHUB_OUTPUT
- run: |
echo "response<<$EOF" >> $GITHUB_OUTPUT
echo $output >> $GITHUB_OUTPUT
echo "$EOF" >> $GITHUB_OUTPUT
- run: |
{
echo 'JSON_RESPONSE<<EOF'
ls | grep -E "*.(tar.gz|zip)$"
echo EOF
} >> "$GITHUB_ENV"
- run: |
cat <<-"EOF" > event.json
${{ toJson(github.event) }}
EOF
- name: heredoc11
run: |
cat >> $GITHUB_ENV << EOL
${ISSUE_BODY}
FOO
EOL
- name: heredoc12
run: |
cat > issue.txt << EOL
${ISSUE_BODY}
FOO
EOL
- name: heredoc21
run: |
cat << EOL >> $GITHUB_ENV
${ISSUE_BODY}
FOO
EOL
- name: heredoc22
run: |
cat <<EOF | sed 's/l/e/g' > file.txt
Hello
World
EOF
- name: heredoc23
run: |
cat <<-EOF >> "$GITHUB_ENV"
echo "FOO=$TITLE"
EOF
- name: line1
run: |
echo REPO_NAME=$(cat issue.txt | sed 's/\\r/\\n/g' | grep -ioE '\\s*[a-z0-9_-]+/[a-z0-9_-]+\\s*$' | tr -d ' ') >> $GITHUB_ENV
- name: multiline1
run: |
echo "PR_TITLE<<EOF" >> $GITHUB_ENV
echo "$TITLE" >> $GITHUB_ENV
echo "EOF" >> $GITHUB_ENV
- name: block11
run: |
{
echo 'JSON_RESPONSE<<EOF'
echo "$TITLE"
echo EOF
} >> "$GITHUB_ENV"
- name: block12
run: |
{
echo 'JSON_RESPONSE<<EOF'
echo '$ISSUE'
echo 'EOF'
} >> "$GITHUB_ENV"
- name: block13
run: |
{
echo 'JSON_RESPONSE<<EOF'
} >> "$GITHUB_ENV"

89
actions/ql/test/library-tests/.github/workflows/multiline2.yml vendored Normal file
View File

@@ -0,0 +1,89 @@
on:
workflow_run:
workflows: ["Prev"]
types:
- completed
jobs:
Test:
runs-on: ubuntu-latest
steps:
- run: |
echo "changelog<<CHANGELOGEOF" | tee -a $GITHUB_OUTPUT
echo -e "$FILTERED_CHANGELOG" | tee -a $GITHUB_OUTPUT
echo "CHANGELOGEOF" | tee -a $GITHUB_OUTPUT
- run: |
EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
echo "status<<$EOF" | tee -a $GITHUB_OUTPUT
echo "$(cat status.output.json)" | tee -a $GITHUB_OUTPUT
echo "$EOF" | tee -a $GITHUB_OUTPUT
- run: |
echo "response<<$EOF" | tee -a $GITHUB_OUTPUT
echo $output | tee -a $GITHUB_OUTPUT
echo "$EOF" | tee -a $GITHUB_OUTPUT
- run: |
{
echo 'JSON_RESPONSE<<EOF'
ls | grep -E "*.(tar.gz|zip)$"
echo EOF
} | tee -a "$GITHUB_ENV"
- run: |
cat <<-"EOF" > event.json
${{ toJson(github.event) }}
EOF
- name: heredoc11
run: |
cat | tee -a $GITHUB_ENV << EOL
${ISSUE_BODY}
FOO
EOL
- name: heredoc12
run: |
cat > issue.txt << EOL
${ISSUE_BODY}
FOO
EOL
- name: heredoc21
run: |
cat << EOL | tee -a $GITHUB_ENV
${ISSUE_BODY}
FOO
EOL
- name: heredoc22
run: |
cat <<EOF | sed 's/l/e/g' > file.txt
Hello
World
EOF
- name: heredoc23
run: |
cat <<-EOF | tee -a "$GITHUB_ENV"
echo "FOO=$TITLE"
EOF
- name: line1
run: |
echo REPO_NAME=$(cat issue.txt | sed 's/\\r/\\n/g' | grep -ioE '\\s*[a-z0-9_-]+/[a-z0-9_-]+\\s*$' | tr -d ' ') | tee -a $GITHUB_ENV
- name: multiline1
run: |
echo "PR_TITLE<<EOF" | tee -a $GITHUB_ENV
echo "$TITLE" | tee -a $GITHUB_ENV
echo "EOF" | tee -a $GITHUB_ENV
- name: block11
run: |
{
echo 'JSON_RESPONSE<<EOF'
echo "$TITLE"
echo EOF
} | tee -a "$GITHUB_ENV"
- name: block12
run: |
{
echo 'JSON_RESPONSE<<EOF'
echo '$ISSUE'
echo 'EOF'
} | tee -a "$GITHUB_ENV"
- name: block13
run: |
{
echo 'JSON_RESPONSE<<EOF'
} | tee -a "$GITHUB_ENV"

46
actions/ql/test/library-tests/.github/workflows/poisonable_steps.yml vendored Normal file
View File

@@ -0,0 +1,46 @@
on: push
jobs:
local_commands:
runs-on: ubuntu-latest
steps:
- run: venv/bin/activate # not supported yet
- uses: actions/github-script@v7
with:
script: |
const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')
return foo({ github, context, core }, body, number, sender)
- run: . venv/bin/activate
- run: echo foo; . venv/bin/activate
- run: echo foo;. venv/bin/activate
- run: echo foo |. venv/bin/activate
- run: ./venv/bin/activate
- run: sh venv/bin/activate.sh
- run: echo $(sh venv/bin/activate.sh)
- run: echo foo; sh venv/bin/activate.sh; echo bar
- run: echo foo | sh venv/bin/activate.sh > output
- run: python venv/bin/activate.py
- run: echo foo; python venv/bin/activate.py
- run: pnpm run test:ct
- run: pip install nbformat && python scripts/generate_notebooks.py
- run: python scripts/generate_theme.py --outfile js/storybook/theme.css
- run: ruby scripts/generate_theme.rb --outfile js/storybook/theme.css
- run: bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css
- run: xvfb-run ./mvnw clean package
- run: echo "foo" && npm i && echo "bar"
- run: echo "foo" | npm i | echo "bar"
- run: echo "foo" | npm i | echo "bar"
- run: echo "foo `npm i` bar"
- run: dotnet test foo/Tests.csproj -c Release
- run: go run foo.go
- run: sed -i "s|git_branch = .*|git_branch = \"$GITHUB_HEAD_REF\"|" config.json # not supported yet
- run: sed -f ./config.sed file.txt > foo.txt
- run: sed -f config file.txt > foo.txt
- run: echo "foo" | awk -f ./config.awk > foo.txt
- run: gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo
- run: ./foo/cmd
- run: |
sed -e 's#<branch_to_sync>#TITLE#' \
-e 's#<sot_repo>#${{ env.sot_repo }}#' \
-e 's#<destination_repo>#${TITLE}#' \
.github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky

40
actions/ql/test/library-tests/.github/workflows/test.yml vendored Normal file
View File

@@ -0,0 +1,40 @@
on: push
jobs:
job1:
runs-on: ubuntu-latest
outputs:
job_output: ${{ steps.step.outputs.value }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Get changed files
id: source
uses: tj-actions/changed-files@v40
- name: Remove foo from changed files
id: step
uses: mad9000/actions-find-and-replace-string@3
with:
source: ${{ steps.source.outputs.all_changed_files }}
find: "foo"
replace: ""
- id: simplesink1
run: echo ${{ steps.source.outputs.all_changed_files }}
- id: simplesink2
run: ${{ github.event.pull_request.head.ref }}
job2:
runs-on: ubuntu-latest
if: ${{ always() }}
needs: job1
steps:
- id: sink
run: echo ${{needs.job1.outputs.job_output}}

202
actions/ql/test/library-tests/commands.expected Normal file
View File

@@ -0,0 +1,202 @@
| .github/workflows/commands.yml:15:9:18:6 | Run Step | command1 |
| .github/workflows/commands.yml:15:9:18:6 | Run Step | command2 |
| .github/workflows/commands.yml:18:9:20:6 | Run Step | command3 |
| .github/workflows/commands.yml:18:9:20:6 | Run Step | command4 |
| .github/workflows/commands.yml:20:9:22:6 | Run Step | command5 "$(command6)" |
| .github/workflows/commands.yml:20:9:22:6 | Run Step | command6 |
| .github/workflows/commands.yml:22:9:24:6 | Run Step | command7 |
| .github/workflows/commands.yml:22:9:24:6 | Run Step | command8 |
| .github/workflows/commands.yml:24:9:26:6 | Run Step | command9 |
| .github/workflows/commands.yml:24:9:26:6 | Run Step | command10 |
| .github/workflows/commands.yml:26:9:28:6 | Run Step | command11 "`command12`" |
| .github/workflows/commands.yml:26:9:28:6 | Run Step | command12 |
| .github/workflows/commands.yml:28:9:31:2 | Run Step | command13 "`command14` $(date \| wc -l)" |
| .github/workflows/commands.yml:28:9:31:2 | Run Step | command14 |
| .github/workflows/commands.yml:28:9:31:2 | Run Step | date |
| .github/workflows/commands.yml:28:9:31:2 | Run Step | wc -l |
| .github/workflows/commands.yml:34:9:37:6 | Run Step | command1 |
| .github/workflows/commands.yml:34:9:37:6 | Run Step | command2 |
| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | LINE 1echo '${{ github.event.comment.body }}' |
| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' |
| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' |
| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | LINE 2 echo '${{github.event.issue.body}}' |
| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' |
| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' |
| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 2 echo '${{github.event.issue.body}}' |
| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 3 echo '${{ github.event.comment.body }}' |
| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' |
| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | echo "CHANGELOGEOF" |
| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | echo "changelog< |
| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | echo -e "$FILTERED_CHANGELOG" |
| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | tee -a $GITHUB_OUTPUT |
| .github/workflows/multiline2.yml:15:9:20:6 | Run Step | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64) |
| .github/workflows/multiline2.yml:15:9:20:6 | Run Step | base64 |
| .github/workflows/multiline2.yml:15:9:20:6 | Run Step | cat status.output.json |
| .github/workflows/multiline2.yml:15:9:20:6 | Run Step | dd if=/dev/urandom bs=15 count=1 status=none |
| .github/workflows/multiline2.yml:15:9:20:6 | Run Step | echo "$(cat status.output.json)" |
| .github/workflows/multiline2.yml:15:9:20:6 | Run Step | echo "$EOF" |
| .github/workflows/multiline2.yml:15:9:20:6 | Run Step | echo "status< |
| .github/workflows/multiline2.yml:15:9:20:6 | Run Step | tee -a $GITHUB_OUTPUT |
| .github/workflows/multiline2.yml:20:9:24:6 | Run Step | echo "$EOF" |
| .github/workflows/multiline2.yml:20:9:24:6 | Run Step | echo "response< |
| .github/workflows/multiline2.yml:20:9:24:6 | Run Step | echo $output |
| .github/workflows/multiline2.yml:20:9:24:6 | Run Step | tee -a $GITHUB_OUTPUT |
| .github/workflows/multiline2.yml:24:9:30:6 | Run Step | echo 'JSON_RESPONSE< |
| .github/workflows/multiline2.yml:24:9:30:6 | Run Step | echo EOF |
| .github/workflows/multiline2.yml:24:9:30:6 | Run Step | grep -E "*.(tar.gz\|zip)$" |
| .github/workflows/multiline2.yml:24:9:30:6 | Run Step | ls |
| .github/workflows/multiline2.yml:24:9:30:6 | Run Step | tee -a "$GITHUB_ENV" |
| .github/workflows/multiline2.yml:30:9:34:6 | Run Step | ${{ toJson(github.event) }} |
| .github/workflows/multiline2.yml:30:9:34:6 | Run Step | EOF |
| .github/workflows/multiline2.yml:30:9:34:6 | Run Step | cat <<-"EOF" > event.json |
| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | ${ISSUE_BODY} |
| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | EOL |
| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | FOO |
| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | cat |
| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | tee -a $GITHUB_ENV < |
| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | ${ISSUE_BODY} |
| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | EOL |
| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | FOO |
| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | cat > issue.txt < |
| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | ${ISSUE_BODY} |
| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | EOL |
| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | FOO |
| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | cat < |
| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | tee -a $GITHUB_ENV |
| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | EOF |
| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | Hello |
| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | World |
| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | cat < |
| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | sed 's/l/e/g' > file.txt |
| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | EOF |
| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | cat < |
| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | echo "FOO=$TITLE" |
| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | tee -a "$GITHUB_ENV" |
| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | cat issue.txt |
| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') |
| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' |
| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | sed 's/\\\\r/\\\\n/g' |
| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | tee -a $GITHUB_ENV |
| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | tr -d ' ' |
| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | echo "$TITLE" |
| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | echo "EOF" |
| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | echo "PR_TITLE< |
| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | tee -a $GITHUB_ENV |
| .github/workflows/multiline2.yml:71:9:78:6 | Run Step | echo "$TITLE" |
| .github/workflows/multiline2.yml:71:9:78:6 | Run Step | echo 'JSON_RESPONSE< |
| .github/workflows/multiline2.yml:71:9:78:6 | Run Step | echo EOF |
| .github/workflows/multiline2.yml:71:9:78:6 | Run Step | tee -a "$GITHUB_ENV" |
| .github/workflows/multiline2.yml:78:9:85:6 | Run Step | echo '$ISSUE' |
| .github/workflows/multiline2.yml:78:9:85:6 | Run Step | echo 'EOF' |
| .github/workflows/multiline2.yml:78:9:85:6 | Run Step | echo 'JSON_RESPONSE< |
| .github/workflows/multiline2.yml:78:9:85:6 | Run Step | tee -a "$GITHUB_ENV" |
| .github/workflows/multiline2.yml:85:9:89:35 | Run Step | echo 'JSON_RESPONSE< |
| .github/workflows/multiline2.yml:85:9:89:35 | Run Step | tee -a "$GITHUB_ENV" |
| .github/workflows/multiline.yml:11:9:15:6 | Run Step | echo "CHANGELOGEOF" |
| .github/workflows/multiline.yml:11:9:15:6 | Run Step | echo "changelog<<CHANGELOGEOF" |
| .github/workflows/multiline.yml:11:9:15:6 | Run Step | echo -e "$FILTERED_CHANGELOG" |
| .github/workflows/multiline.yml:15:9:20:6 | Run Step | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64) |
| .github/workflows/multiline.yml:15:9:20:6 | Run Step | base64 |
| .github/workflows/multiline.yml:15:9:20:6 | Run Step | cat status.output.json |
| .github/workflows/multiline.yml:15:9:20:6 | Run Step | dd if=/dev/urandom bs=15 count=1 status=none |
| .github/workflows/multiline.yml:15:9:20:6 | Run Step | echo "$(cat status.output.json)" |
| .github/workflows/multiline.yml:15:9:20:6 | Run Step | echo "$EOF" |
| .github/workflows/multiline.yml:15:9:20:6 | Run Step | echo "status<<$EOF" |
| .github/workflows/multiline.yml:20:9:24:6 | Run Step | echo "$EOF" |
| .github/workflows/multiline.yml:20:9:24:6 | Run Step | echo "response<<$EOF" |
| .github/workflows/multiline.yml:20:9:24:6 | Run Step | echo $output |
| .github/workflows/multiline.yml:24:9:30:6 | Run Step | echo 'JSON_RESPONSE< |
| .github/workflows/multiline.yml:24:9:30:6 | Run Step | echo EOF |
| .github/workflows/multiline.yml:24:9:30:6 | Run Step | grep -E "*.(tar.gz\|zip)$" |
| .github/workflows/multiline.yml:24:9:30:6 | Run Step | ls |
| .github/workflows/multiline.yml:30:9:34:6 | Run Step | ${{ toJson(github.event) }} |
| .github/workflows/multiline.yml:30:9:34:6 | Run Step | EOF |
| .github/workflows/multiline.yml:30:9:34:6 | Run Step | cat <<-"EOF" > event.json |
| .github/workflows/multiline.yml:34:9:40:6 | Run Step | ${ISSUE_BODY} |
| .github/workflows/multiline.yml:34:9:40:6 | Run Step | EOL |
| .github/workflows/multiline.yml:34:9:40:6 | Run Step | FOO |
| .github/workflows/multiline.yml:34:9:40:6 | Run Step | cat >> $GITHUB_ENV < |
| .github/workflows/multiline.yml:40:9:46:6 | Run Step | ${ISSUE_BODY} |
| .github/workflows/multiline.yml:40:9:46:6 | Run Step | EOL |
| .github/workflows/multiline.yml:40:9:46:6 | Run Step | FOO |
| .github/workflows/multiline.yml:40:9:46:6 | Run Step | cat > issue.txt < |
| .github/workflows/multiline.yml:46:9:52:6 | Run Step | ${ISSUE_BODY} |
| .github/workflows/multiline.yml:46:9:52:6 | Run Step | EOL |
| .github/workflows/multiline.yml:46:9:52:6 | Run Step | FOO |
| .github/workflows/multiline.yml:46:9:52:6 | Run Step | cat << EOL |
| .github/workflows/multiline.yml:52:9:58:6 | Run Step | EOF |
| .github/workflows/multiline.yml:52:9:58:6 | Run Step | Hello |
| .github/workflows/multiline.yml:52:9:58:6 | Run Step | World |
| .github/workflows/multiline.yml:52:9:58:6 | Run Step | cat < |
| .github/workflows/multiline.yml:52:9:58:6 | Run Step | sed 's/l/e/g' > file.txt |
| .github/workflows/multiline.yml:58:9:63:6 | Run Step | EOF |
| .github/workflows/multiline.yml:58:9:63:6 | Run Step | cat <<-EOF |
| .github/workflows/multiline.yml:58:9:63:6 | Run Step | echo "FOO=$TITLE" |
| .github/workflows/multiline.yml:63:9:66:6 | Run Step | cat issue.txt |
| .github/workflows/multiline.yml:63:9:66:6 | Run Step | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') |
| .github/workflows/multiline.yml:63:9:66:6 | Run Step | grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' |
| .github/workflows/multiline.yml:63:9:66:6 | Run Step | sed 's/\\\\r/\\\\n/g' |
| .github/workflows/multiline.yml:63:9:66:6 | Run Step | tr -d ' ' |
| .github/workflows/multiline.yml:66:9:71:6 | Run Step | echo "$TITLE" |
| .github/workflows/multiline.yml:66:9:71:6 | Run Step | echo "EOF" |
| .github/workflows/multiline.yml:66:9:71:6 | Run Step | echo "PR_TITLE<<EOF" |
| .github/workflows/multiline.yml:71:9:78:6 | Run Step | echo "$TITLE" |
| .github/workflows/multiline.yml:71:9:78:6 | Run Step | echo 'JSON_RESPONSE< |
| .github/workflows/multiline.yml:71:9:78:6 | Run Step | echo EOF |
| .github/workflows/multiline.yml:78:9:85:6 | Run Step | echo '$ISSUE' |
| .github/workflows/multiline.yml:78:9:85:6 | Run Step | echo 'EOF' |
| .github/workflows/multiline.yml:78:9:85:6 | Run Step | echo 'JSON_RESPONSE< |
| .github/workflows/multiline.yml:85:9:89:29 | Run Step | echo 'JSON_RESPONSE< |
| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | venv/bin/activate |
| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | . venv/bin/activate |
| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | . venv/bin/activate |
| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | echo foo |
| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | . venv/bin/activate |
| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | echo foo |
| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | . venv/bin/activate |
| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | echo foo |
| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | ./venv/bin/activate |
| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | sh venv/bin/activate.sh |
| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | echo $(sh venv/bin/activate.sh) |
| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | sh venv/bin/activate.sh |
| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | echo bar |
| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | echo foo |
| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | sh venv/bin/activate.sh |
| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | echo foo |
| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | sh venv/bin/activate.sh |
| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | python venv/bin/activate.py |
| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | echo foo |
| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | python venv/bin/activate.py |
| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | pnpm run test:ct |
| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | pip install nbformat |
| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | python scripts/generate_notebooks.py |
| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | python scripts/generate_theme.py --outfile js/storybook/theme.css |
| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css |
| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css |
| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | xvfb-run ./mvnw clean package |
| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | echo "bar" |
| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | echo "foo" |
| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | npm i |
| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | echo "bar" |
| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | echo "foo" |
| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | npm i |
| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | echo "bar" |
| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | echo "foo" |
| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | npm i |
| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | echo "foo `npm i` bar" |
| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | npm i |
| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | dotnet test foo/Tests.csproj -c Release |
| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | go run foo.go |
| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json |
| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | sed -f ./config.sed file.txt > foo.txt |
| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | sed -f config file.txt > foo.txt |
| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | awk -f ./config.awk > foo.txt |
| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | echo "foo" |
| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo |
| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | ./foo/cmd |
| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | sed -e 's#<branch_to_sync>#TITLE#' -e 's#<sot_repo>#${{ env.sot_repo }}#' -e 's#<destination_repo>#${TITLE}#' .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky |
| .github/workflows/shell.yml:12:9:14:2 | Run Step | echo "foo" |
| .github/workflows/shell.yml:17:9:19:2 | Run Step | echo "foo" |
| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} |
| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | ${{ github.event.pull_request.head.ref }} |
| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | echo ${{needs.job1.outputs.job_output}} |

4
actions/ql/test/library-tests/commands.ql Normal file
View File

@@ -0,0 +1,4 @@
import actions
from Run run
select run, run.getScript().getACommand()

28
actions/ql/test/library-tests/poisonable_steps.expected Normal file
View File

@@ -0,0 +1,28 @@
| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step |
| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step |
| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step |
| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step |
| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step |
| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step |
| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step |
| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step |
| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step |
| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step |
| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step |
| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step |
| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step |
| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step |
| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step |
| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step |
| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step |
| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step |
| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step |
| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step |
| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step |
| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step |
| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step |
| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step |
| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step |
| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step |
| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step |
| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step |

5
actions/ql/test/library-tests/poisonable_steps.ql Normal file
View File

@@ -0,0 +1,5 @@
import actions
import codeql.actions.security.PoisonableSteps
from PoisonableStep step
select step

1741
actions/ql/test/library-tests/test.expected Normal file
View File

File diff suppressed because it is too large Load Diff

100
actions/ql/test/library-tests/test.ql Normal file
View File

@@ -0,0 +1,100 @@
import codeql.actions.Ast
import codeql.actions.Helper
import codeql.actions.Cfg as Cfg
import codeql.actions.DataFlow
import codeql.Locations
import codeql.actions.dataflow.ExternalFlow
query predicate files(File f) { any() }
query predicate workflows(Workflow w) { any() }
query predicate reusableWorkflows(ReusableWorkflow w) { any() }
query predicate compositeActions(CompositeAction w) { any() }
query predicate jobs(Job s) { any() }
query predicate localJobs(LocalJob s) { any() }
query predicate extJobs(ExternalJob s) { any() }
query predicate steps(Step s) { any() }
query predicate runExprs(Run s, Expression e) { e = s.getAnScriptExpr() }
query predicate uses(Uses s) { any() }
query predicate stepUses(UsesStep s) { any() }
query predicate usesArgs(Uses call, string argname, Expression arg) {
call.getArgumentExpr(argname) = arg
}
query predicate runStepChildren(Run run, AstNode child) { child.getParentNode() = run }
query predicate parentNodes(AstNode child, AstNode parent) { child.getParentNode() = parent }
query predicate cfgNodes(Cfg::Node n) { any() }
query predicate dfNodes(DataFlow::Node e) { any() }
query predicate argumentNodes(DataFlow::ArgumentNode e) { any() }
query predicate usesIds(UsesStep s, string a) { s.getId() = a }
query predicate nodeLocations(DataFlow::Node n, Location l) { n.getLocation() = l }
query predicate scopes(Cfg::CfgScope c) { any() }
query predicate sources(string action, string version, string output, string kind, string provenance) {
actionsSourceModel(action, version, output, kind, provenance)
}
query predicate summaries(
string action, string version, string input, string output, string kind, string provenance
) {
actionsSummaryModel(action, version, input, output, kind, provenance)
}
query predicate needs(DataFlow::Node e) { e.asExpr() instanceof NeedsExpression }
query string testNormalizeExpr(string s) {
s =
[
"github.event.pull_request.user['login']", "github.event.pull_request.user[\"login\"]",
"github.event.pull_request['user']['login']", "foo['bar'] == baz"
] and
result = normalizeExpr(s)
}
query predicate writeToGitHubEnv1(string content) {
exists(string t |
t =
[
"FOO\n{\n echo 'JSON_RESPONSE<<EOF'\n ls | grep -E \"*.(tar.gz|zip)$\"\n echo EOF\n } >> \"$GITHUB_ENV\"\nBAR"
//"FOO\n{\n echo 'JSON_RESPONSE<<EOF'\n echo \"$TITLE\"\n echo EOF\n} >> \"$GITHUB_ENV\"\nBAR",
//"FOO\necho \"VAR3<<EOF\" >> $GITHUB_ENV\necho \"$TITLE\" >> $GITHUB_ENV\necho \"EOF\" >> $GITHUB_ENV\nBAR",
] and
//linesFileWrite(t, _, "$GITHUB_ENV", content, _)
Bash::blockFileWrite(t, _, "$GITHUB_ENV", content, _)
//extractFileWrite(t, "GITHUB_ENV", content)
)
}
query predicate isBashParameterExpansion(string parameter, string operator, string params) {
exists(string test |
test =
[
"$parameter1", "${parameter2}", "${!parameter3}", "${#parameter4}", "${parameter5:-value}",
"${parameter6:=value}", "${parameter7:+value}", "${parameter8:?value}",
"${parameter9:=default value}", "${parameter10##*/}", "${parameter11/#pattern/string}",
"${parameter12/%pattern/string}", "${parameter13,pattern}", "${parameter14,,pattern}",
"${parameter15^pattern}", "${parameter16^^pattern}", "${parameter17:start}",
"${parameter18#pattern}", "${parameter19##pattern}", "${parameter20%pattern}",
"${parameter21%%pattern}", "${parameter22/pattern/string}",
"${parameter23//pattern/string}",
] and
Bash::isParameterExpansion(test, parameter, operator, params)
)
}

0
actions/ql/test/library-tests/workflowenum.expected Normal file
View File

8
actions/ql/test/library-tests/workflowenum.ql Normal file
View File

@@ -0,0 +1,8 @@
import actions
import codeql.actions.config.ConfigExtensions as Extensions
from
string path, string trigger, string job, string secrets_source, string permissions,
string runner
where Extensions::workflowDataModel(path, trigger, job, secrets_source, permissions, runner)
select trigger, path, job, secrets_source, permissions, runner

15
actions/ql/test/query-tests/Models/.github/workflows/calling_composite.yml vendored Normal file
View File

@@ -0,0 +1,15 @@
on: [push]
jobs:
hello_world_job:
runs-on: ubuntu-latest
name: A job to say hello
steps:
- uses: actions/checkout@v4
- id: foo
uses: some-org/test-action@v1
with:
who-to-greet: ${{ github.event.pull_request.head.ref }}
- run: echo ${{ steps.foo.outputs.reflected}}
- run: echo ${{ steps.foo.outputs.tainted}}

47
actions/ql/test/query-tests/Models/.github/workflows/calling_workflow.yml vendored Normal file
View File

@@ -0,0 +1,47 @@
name: Call a reusable workflow and use its outputs
on:
workflow_dispatch:
jobs:
call1:
uses: octo-org/this-repo/.github/workflows/reusable_workflow.yml@172239021f7ba04fe7327647b213799853a9eb89
with:
config-path: ${{ github.event.pull_request.head.ref }}
call2:
uses: ./.github/workflows/reusable_workflow.yml
with:
config-path: ${{ github.event.pull_request.head.ref }}
call3:
uses: octo-org/summary-repo/.github/workflows/workflow.yml@v1
with:
config-path: ${{ github.event.pull_request.head.ref }}
call4:
uses: octo-org/source-repo/.github/workflows/workflow.yml@v1
call5:
uses: octo-org/sink-repo/.github/workflows/workflow.yml@v1
with:
config-path: ${{ github.event.pull_request.head.ref }}
job1:
runs-on: ubuntu-latest
needs: call1
steps:
- run: echo ${{ needs.call1.outputs.workflow-output }}
job2:
runs-on: ubuntu-latest
needs: call2
steps:
- run: echo ${{ needs.call2.outputs.workflow-output1 }}
- run: echo ${{ needs.call2.outputs.workflow-output2 }}
job3:
runs-on: ubuntu-latest
needs: call3
steps:
- run: echo ${{ needs.call3.outputs.workflow-output }}
job4:
runs-on: ubuntu-latest
needs: call4
steps:
- run: echo ${{ needs.call4.outputs.workflow-output }}

34
actions/ql/test/query-tests/Models/.github/workflows/reusable_workflow.yml vendored Normal file
View File

@@ -0,0 +1,34 @@
name: Reusable workflow example
on:
workflow_call:
inputs:
config-path:
required: true
type: string
outputs:
workflow-output1:
value: ${{ jobs.job1.outputs.job-output1 }}
workflow-output2:
value: ${{ jobs.job1.outputs.job-output2 }}
secrets:
token:
required: true
jobs:
job1:
runs-on: ubuntu-latest
outputs:
job-output1: ${{ steps.step1.outputs.step-output}}
job-output2: ${{ steps.step2.outputs.all_changed_files}}
steps:
- id: step1
env:
CONFIG_PATH: ${{ inputs.config-path }}
run: |
echo ${{ inputs.config-path }}
echo "::set-output name=step-output::$CONFIG_PATH"
- name: Get changed files
id: step2
uses: tj-actions/changed-files@v40

15
actions/ql/test/query-tests/Models/CompositeActionsSinks.expected Normal file
View File

@@ -0,0 +1,15 @@
edges
| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:28:18:28:43 | inputs.who-to-greet | provenance | |
| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:25:35:50 | inputs.who-to-greet | provenance | |
| action1/action.yml:24:7:31:4 | Uses Step: replace [value] | action1/action.yml:32:18:32:51 | steps.replace.outputs.value | provenance | |
| action1/action.yml:28:18:28:43 | inputs.who-to-greet | action1/action.yml:24:7:31:4 | Uses Step: replace [value] | provenance | |
nodes
| action1/action.yml:4:3:4:14 | input who-to-greet | semmle.label | input who-to-greet |
| action1/action.yml:24:7:31:4 | Uses Step: replace [value] | semmle.label | Uses Step: replace [value] |
| action1/action.yml:28:18:28:43 | inputs.who-to-greet | semmle.label | inputs.who-to-greet |
| action1/action.yml:32:18:32:51 | steps.replace.outputs.value | semmle.label | steps.replace.outputs.value |
| action1/action.yml:35:25:35:50 | inputs.who-to-greet | semmle.label | inputs.who-to-greet |
subpaths
#select
| action1/action.yml:32:18:32:51 | steps.replace.outputs.value | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:32:18:32:51 | steps.replace.outputs.value | Sink |
| action1/action.yml:35:25:35:50 | inputs.who-to-greet | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:25:35:50 | inputs.who-to-greet | Sink |

1
actions/ql/test/query-tests/Models/CompositeActionsSinks.qlref Normal file
View File

@@ -0,0 +1 @@
Models/CompositeActionsSinks.ql

21
actions/ql/test/query-tests/Models/CompositeActionsSources.expected Normal file
View File

@@ -0,0 +1,21 @@
edges
| action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | provenance | |
| action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | provenance | |
| action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | provenance | |
| action1/action.yml:44:7:48:70 | Run Step: source [tainted] | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | provenance | |
| action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | action1/action.yml:44:7:48:70 | Run Step: source [tainted] | provenance | |
nodes
| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | semmle.label | steps.reflector.outputs.reflected |
| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | semmle.label | steps.source.outputs.tainted |
| action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | semmle.label | Run Step: reflector [reflected] |
| action1/action.yml:41:30:41:55 | inputs.who-to-greet | semmle.label | inputs.who-to-greet |
| action1/action.yml:42:7:44:4 | Uses Step: changed-files | semmle.label | Uses Step: changed-files |
| action1/action.yml:44:7:48:70 | Run Step: source [tainted] | semmle.label | Run Step: source [tainted] |
| action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files |
subpaths
#select
| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Source |
| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Source |
| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source |
| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source |
| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source |

2
actions/ql/test/query-tests/Models/CompositeActionsSources.qlref Normal file
View File

@@ -0,0 +1,2 @@
Models/CompositeActionsSources.ql

12
actions/ql/test/query-tests/Models/CompositeActionsSummaries.expected Normal file
View File

@@ -0,0 +1,12 @@
edges
| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:41:30:41:55 | inputs.who-to-greet | provenance | |
| action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | provenance | |
| action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | provenance | |
nodes
| action1/action.yml:4:3:4:14 | input who-to-greet | semmle.label | input who-to-greet |
| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | semmle.label | steps.reflector.outputs.reflected |
| action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | semmle.label | Run Step: reflector [reflected] |
| action1/action.yml:41:30:41:55 | inputs.who-to-greet | semmle.label | inputs.who-to-greet |
subpaths
#select
| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Summary |

2
actions/ql/test/query-tests/Models/CompositeActionsSummaries.qlref Normal file
View File

@@ -0,0 +1,2 @@
Models/CompositeActionsSummaries.ql

24
actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.expected Normal file
View File

@@ -0,0 +1,24 @@
edges
| .github/workflows/calling_workflow.yml:12:5:15:2 | Job: call2 [workflow-output1] | .github/workflows/calling_workflow.yml:35:20:35:62 | needs.call2.outputs.workflow-output1 | provenance | |
| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | provenance | |
| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | provenance | |
| .github/workflows/reusable_workflow.yml:10:7:14:4 | output Job outputs node [workflow-output1] | .github/workflows/calling_workflow.yml:12:5:15:2 | Job: call2 [workflow-output1] | provenance | |
| .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | .github/workflows/reusable_workflow.yml:10:7:14:4 | output Job outputs node [workflow-output1] | provenance | |
| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | provenance | |
| .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | provenance | |
| .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | provenance | |
| .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | provenance | |
nodes
| .github/workflows/calling_workflow.yml:12:5:15:2 | Job: call2 [workflow-output1] | semmle.label | Job: call2 [workflow-output1] |
| .github/workflows/calling_workflow.yml:35:20:35:62 | needs.call2.outputs.workflow-output1 | semmle.label | needs.call2.outputs.workflow-output1 |
| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | semmle.label | input config-path |
| .github/workflows/reusable_workflow.yml:10:7:14:4 | output Job outputs node [workflow-output1] | semmle.label | output Job outputs node [workflow-output1] |
| .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | semmle.label | jobs.job1.outputs.job-output1 |
| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | semmle.label | Job outputs node [job-output1] |
| .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | semmle.label | steps.step1.outputs.step-output |
| .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | semmle.label | Run Step: step1 [step-output] |
| .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | semmle.label | inputs.config-path |
| .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | semmle.label | inputs.config-path |
subpaths
#select
| .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | Sink |

2
actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.qlref Normal file
View File

@@ -0,0 +1,2 @@
Models/ReusableWorkflowsSinks.ql

12
actions/ql/test/query-tests/Models/ReusableWorkflowsSources.expected Normal file
View File

@@ -0,0 +1,12 @@
edges
| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | provenance | |
| .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | provenance | |
| .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | provenance | |
nodes
| .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | semmle.label | jobs.job1.outputs.job-output2 |
| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | semmle.label | Job outputs node [job-output2] |
| .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | semmle.label | steps.step2.outputs.all_changed_files |
| .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | semmle.label | Uses Step: step2 |
subpaths
#select
| .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | Source |

2
actions/ql/test/query-tests/Models/ReusableWorkflowsSources.qlref Normal file
View File

@@ -0,0 +1,2 @@
Models/ReusableWorkflowsSources.ql

16
actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.expected Normal file
View File

@@ -0,0 +1,16 @@
edges
| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | provenance | |
| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | provenance | |
| .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | provenance | |
| .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | provenance | |
| .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | provenance | |
nodes
| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | semmle.label | input config-path |
| .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | semmle.label | jobs.job1.outputs.job-output1 |
| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | semmle.label | Job outputs node [job-output1] |
| .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | semmle.label | steps.step1.outputs.step-output |
| .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | semmle.label | Run Step: step1 [step-output] |
| .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | semmle.label | inputs.config-path |
subpaths
#select
| .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | Summary |

2
actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.qlref Normal file
View File

@@ -0,0 +1,2 @@
Models/ReusableWorkflowsSummaries.ql

51
actions/ql/test/query-tests/Models/action1/action.yml Normal file
View File

@@ -0,0 +1,51 @@
name: 'Hello World'
description: 'Greet someone'
inputs:
who-to-greet: # id of input
description: 'Who to greet'
required: true
default: 'World'
outputs:
reflected:
description: "Reflected input"
value: ${{ steps.reflector.outputs.reflected }}
tainted:
description: "Reflected input"
value: ${{ steps.source.outputs.tainted}}
runs:
using: "composite"
steps:
- name: Secure Set Greeting
run: echo "Hello $INPUT_WHO_TO_GREET."
shell: bash
env:
INPUT_WHO_TO_GREET: ${{ inputs.who-to-greet }}
- name: Remove foo
id: replace
uses: mad9000/actions-find-and-replace-string@3
with:
source: ${{ inputs.who-to-greet }}
find: 'foo'
replace: ''
- id: sink
run: echo ${{ steps.replace.outputs.value }}
shell: bash
- name: Vulnerable Set Greeting
run: echo "Hello ${{ inputs.who-to-greet }}."
shell: bash
- id: reflector
run: echo "reflected=$(echo $INPUT_WHO_TO_GREET)" >> $GITHUB_OUTPUT
shell: bash
env:
INPUT_WHO_TO_GREET: ${{ inputs.who-to-greet }}
- id: changed-files
uses: tj-actions/changed-files@v40
- id: source
run: echo "tainted=$(echo $TAINTED)" >> $GITHUB_OUTPUT
shell: bash
env:
TAINTED: ${{ steps.changed-files.outputs.all_changed_files }}

39
actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output1.yml vendored Normal file
View File

@@ -0,0 +1,39 @@
on:
issue_comment:
jobs:
test1:
runs-on: ubuntu-latest
steps:
- id: clob1
env:
BODY: ${{ github.event.comment.body }}
run: |
# VULNERABLE
echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT
echo "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT
- id: clob2
run: |
echo ${{ steps.clob1.outputs.OUTPUT_1 }}
echo ${{ steps.clob1.outputs.OUTPUT_2 }}
test2:
runs-on: ubuntu-latest
steps:
- id: clob1
env:
BODY: ${{ github.event.comment.body }}
run: |
# NOT VULNERABLE
echo "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT
test3:
runs-on: ubuntu-latest
steps:
- name: Download artifact
uses: dawidd6/action-download-artifact@v6
with:
run_id: ${{ github.event.workflow_run.id }}
name: pr_number
- id: clob1
run: |
# VULNERABLE
echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT
echo "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT

62
actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output2.yml vendored Normal file
View File

@@ -0,0 +1,62 @@
on:
issue_comment:
jobs:
test1:
runs-on: ubuntu-latest
steps:
- id: clob1
env:
BODY: ${{ github.event.comment.body }}
run: |
# VULNERABLE
echo $BODY
echo "::set-output name=OUTPUT::SAFE"
- id: clob2
env:
BODY: ${{ github.event.comment.body }}
run: |
# VULNERABLE
echo "::set-output name=OUTPUT::SAFE"
echo $BODY
- id: clob3
run: |
echo ${{ steps.clob1.outputs.OUTPUT }}
test2:
runs-on: ubuntu-latest
steps:
- id: clob1
env:
BODY: ${{ github.event.comment.body }}
run: |
# NOT VULNERABLE
echo "::set-output name=OUTPUT::SAFE"
test3:
runs-on: ubuntu-latest
steps:
- name: Download artifact
uses: dawidd6/action-download-artifact@v6
with:
run_id: ${{ github.event.workflow_run.id }}
name: pr_number
- id: clob1
run: |
# VULNERABLE
PR="$(<pr-number)"
echo "$PR"
echo "::set-output name=OUTPUT::SAFE"
- id: clob2
run: |
# VULNERABLE
cat pr-number
echo "::set-output name=OUTPUT::SAFE"
- id: clob3
run: |
# VULNERABLE
echo "::set-output name=OUTPUT::SAFE"
ls *.txt
- id: clob4
run: |
# VULNERABLE
CURRENT_VERSION=$(cat gradle.properties | sed -n '/^version=/ { s/^version=//;p }')
echo "$CURRENT_VERSION"
echo "::set-output name=OUTPUT::SAFE"

33
actions/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.expected Normal file
View File

@@ -0,0 +1,33 @@
edges
| .github/workflows/output1.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | provenance | Config |
| .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n | provenance | Config |
| .github/workflows/output2.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | provenance | Config |
| .github/workflows/output2.yml:16:18:16:49 | github.event.comment.body | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | provenance | Config |
| .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n | provenance | Config |
| .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:48:14:51:48 | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n | provenance | Config |
| .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | provenance | Config |
| .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | provenance | Config |
nodes
| .github/workflows/output1.yml:9:18:9:49 | github.event.comment.body | semmle.label | github.event.comment.body |
| .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | semmle.label | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n |
| .github/workflows/output1.yml:30:9:35:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n | semmle.label | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n |
| .github/workflows/output2.yml:9:18:9:49 | github.event.comment.body | semmle.label | github.event.comment.body |
| .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | semmle.label | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n |
| .github/workflows/output2.yml:16:18:16:49 | github.event.comment.body | semmle.label | github.event.comment.body |
| .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | semmle.label | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n |
| .github/workflows/output2.yml:36:9:41:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n | semmle.label | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n |
| .github/workflows/output2.yml:48:14:51:48 | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n | semmle.label | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n |
| .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | semmle.label | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n |
| .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | semmle.label | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n |
subpaths
#select
| .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n |
| .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n |
| .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n |
| .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | .github/workflows/output2.yml:16:18:16:49 | github.event.comment.body | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n |
| .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n |
| .github/workflows/output2.yml:48:14:51:48 | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:48:14:51:48 | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:48:14:51:48 | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n |
| .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n |
| .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n |

1
actions/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE-074/OutputClobberingHigh.ql

32
actions/ql/test/query-tests/Security/CWE-077/.github/actions/download-artifact-2/action.yaml vendored Normal file
View File

@@ -0,0 +1,32 @@
name: DownloadArtifacts
description: 'Downloads and unarchives artifacts for a workflow that runs on workflow_run so that it can use its data'
runs:
using: "composite"
steps:
- uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
owner: context.repo.owner,
repo: context.repo.repo,
run_id: context.payload.workflow_run.id,
});
let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => {
return artifact.name == "artifacts"
})[0];
let download = await github.rest.actions.downloadArtifact({
owner: context.repo.owner,
repo: context.repo.repo,
artifact_id: matchArtifact.id,
archive_format: 'zip',
});
let fs = require('fs');
fs.writeFileSync(`/tmp/artifacts.zip`, Buffer.from(download.data));
- run: |
mkdir -p /tmp/artifacts
unzip /tmp/artifacts.zip
shell: bash
- run: |
echo "Downloaded artifacts:"
ls -ablh
shell: bash

32
actions/ql/test/query-tests/Security/CWE-077/.github/actions/download-artifact/action.yaml vendored Normal file
View File

@@ -0,0 +1,32 @@
name: DownloadArtifacts
description: 'Downloads and unarchives artifacts for a workflow that runs on workflow_run so that it can use its data'
runs:
using: "composite"
steps:
- uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
owner: context.repo.owner,
repo: context.repo.repo,
run_id: context.payload.workflow_run.id,
});
let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => {
return artifact.name == "artifacts"
})[0];
let download = await github.rest.actions.downloadArtifact({
owner: context.repo.owner,
repo: context.repo.repo,
artifact_id: matchArtifact.id,
archive_format: 'zip',
});
let fs = require('fs');
fs.writeFileSync(`/tmp/artifacts.zip`, Buffer.from(download.data));
- run: |
mkdir -p /tmp/artifacts
unzip /tmp/artifacts.zip -d /tmp/artifacts
shell: bash
- run: |
echo "Downloaded artifacts:"
ls -ablh /tmp/artifacts
shell: bash

20
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning51.yml vendored Normal file
View File

@@ -0,0 +1,20 @@
name: Pull Request Open
on:
workflow_run:
workflows: ["Prev"]
types:
- completed
jobs:
Download:
runs-on: ubuntu-latest
steps:
- run: |
gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name"
- name: Unzip
run: |
unzip artifact_name.zip -d foo
- name: Env Var Injection
run: |
echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV

26
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning52.yml vendored Normal file
View File

@@ -0,0 +1,26 @@
name: Pull Request Open
on:
workflow_run:
workflows: ["Prev"]
types:
- completed
jobs:
Download:
runs-on: ubuntu-latest
steps:
- run: |
gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name"
- name: Unzip
run: |
unzip artifact_name.zip -d foo
- name: Env Var Injection
run: |
echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"
cat foo >> "$GITHUB_ENV"
echo "EOF" >> "${GITHUB_ENV}"

27
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning53.yml vendored Normal file
View File

@@ -0,0 +1,27 @@
name: Pull Request Open
on:
workflow_run:
workflows: ["Prev"]
types:
- completed
jobs:
Download:
runs-on: ubuntu-latest
steps:
- run: |
gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name"
- name: Unzip
run: |
unzip artifact_name.zip -d foo
- run: |
{
echo 'JSON_RESPONSE<<EOF'
cat foo
echo EOF
} >> "$GITHUB_ENV"

29
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning91.yml vendored Normal file
View File

@@ -0,0 +1,29 @@
name: SnapshotPR
on:
workflow_run:
workflows:
- ApprovalComment
types:
- completed
jobs:
snapshot:
permissions:
id-token: write
pull-requests: write
statuses: write
if: github.event.workflow_run.conclusion == 'success'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
- uses: ./.github/actions/download-artifact
- id: metadata
run: |
pr_number="$(head -n 2 /tmp/artifacts/metadata.txt | tail -n 1)"
pr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"
echo PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"
echo PR_NUMBER="$pr_number" >> "$GITHUB_ENV"
- uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
with:
ref: ${{ env.PR_COMMIT }}
- uses: ./.github/actions/install-deps
- run: make snapshot

29
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning92.yml vendored Normal file
View File

@@ -0,0 +1,29 @@
name: SnapshotPR
on:
workflow_run:
workflows:
- ApprovalComment
types:
- completed
jobs:
snapshot:
permissions:
id-token: write
pull-requests: write
statuses: write
if: github.event.workflow_run.conclusion == 'success'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
- uses: ./.github/actions/download-artifact-2
- id: metadata
run: |
pr_number="$(head -n 2 /tmp/artifacts/metadata.txt | tail -n 1)"
pr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"
echo PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"
echo PR_NUMBER="$pr_number" >> "$GITHUB_ENV"
- uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
with:
ref: ${{ env.PR_COMMIT }}
- uses: ./.github/actions/install-deps
- run: make snapshot

33
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/path1.yml vendored Normal file
View File

@@ -0,0 +1,33 @@
name: Pull Request Open
on:
pull_request_target:
jobs:
test:
runs-on: ubuntu-latest
steps:
- run: echo "${{ github.event.pull_request.title }}" >> $GITHUB_PATH
- env:
PATHINJ: ${{ github.event.pull_request.title }}
run: echo $(echo "$PATHINJ") >> $GITHUB_PATH
- env:
PATHINJ: ${{ github.event.pull_request.title }}
run: echo $PATHINJ >> $GITHUB_PATH
- env:
PATHINJ: ${{ github.event.pull_request.title }}
run: echo ${PATHINJ} >> $GITHUB_PATH
- uses: dawidd6/action-download-artifact@v2
with:
name: artifact_name
path: foo
- run: echo "$(cat foo/bar)" >> $GITHUB_PATH
- env:
ACTIONS_ALLOW_UNSECURE_COMMANDS: true
PATHINJ: ${{ github.event.pull_request.title }}
run: echo "::add-path::$PATHINJ"

15
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test1.yml vendored Normal file
View File

@@ -0,0 +1,15 @@
name: Test
on:
pull_request_target:
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Code Injection, do not report as ENV VAR INJ
run: echo ISSUE_KEY=$(echo "${{ github.event.pull_request.title }}") >> $GITHUB_ENV
- name: Code Injection, do not report as ENV VAR INJ
run: echo ISSUE_KEY=$(echo "${{ github.event.pull_request.head.ref }}") >> $GITHUB_ENV

28
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test10.yml vendored Normal file
View File

@@ -0,0 +1,28 @@
name: Build and Dockerize
on:
pull_request_target:
jobs:
build:
name: Test
runs-on: ubuntu-latest
steps:
- name: Decide Which 'ref' To Checkout
id: decide-ref
run: |
if [[ "${{github.event_name}}" == "pull_request_target" ]]; then
echo "ref=refs/pull/${{ github.event.pull_request.number }}/merge" >> $GITHUB_OUTPUT
else
echo "ref=${{github.ref}}" >> $GITHUB_OUTPUT
fi
- name: Checkout
uses: actions/checkout@v4
with:
ref: ${{steps.decide-ref.outputs.ref}}
path: "foo"
- name: Read Java Config
run: cat foo/.github/java-config.env >> $GITHUB_ENV

28
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test11.yml vendored Normal file
View File

@@ -0,0 +1,28 @@
name: Write prerelease comment
on:
workflow_run:
workflows: ["Create Pull Request Prerelease"]
types:
- completed
jobs:
comment:
if: ${{ github.repository_owner == 'foo' }}
runs-on: ubuntu-latest
name: Write comment to the PR
steps:
- name: "Download runtime versions"
uses: dawidd6/action-download-artifact@v2
with:
run_id: ${{ github.event.workflow_run.id }}
name: runtime-versions.md
- name: "Put runtime versions on the environment"
id: runtime_versions
run: |
{
echo 'RUNTIME_VERSIONS<<EOF'
cat runtime-versions.md
echo EOF
} >> "$GITHUB_ENV"

80
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test12.yml vendored Normal file
View File

@@ -0,0 +1,80 @@
name: Write prerelease comment
on:
workflow_run:
workflows: ["Create Pull Request Prerelease"]
types:
- completed
jobs:
comment:
runs-on: ubuntu-latest
name: Write comment to the PR
steps:
- name: "Put PR and workflow ID on the environment"
uses: actions/github-script@v7
with:
script: |
// Copied from .github/extract-pr-and-workflow-id.js
const allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
owner: context.repo.owner,
repo: context.repo.repo,
run_id: context.payload.workflow_run.id,
});
for (const artifact of allArtifacts.data.artifacts) {
// Extract the PR number from the artifact name
const match = /^npm-package-(.+)-(\d+)$/.exec(artifact.name);
if (match) {
const packageName = match[1].toUpperCase();
require("fs").appendFileSync(
process.env.GITHUB_ENV,
`\nWORKFLOW_RUN_PR_FOR_${packageName}=${match[2]}` +
`\nWORKFLOW_RUN_ID_FOR_${packageName}=${context.payload.workflow_run.id}`
);
}
}
- name: "Download runtime versions"
# Regular `actions/download-artifact` doesn't support downloading
# artifacts from another workflow
uses: dawidd6/action-download-artifact@v2
with:
run_id: ${{ github.event.workflow_run.id }}
name: runtime-versions.md
- name: "Put runtime versions on the environment"
id: runtime_versions
run: |
{
echo 'RUNTIME_VERSIONS<<EOF'
cat runtime-versions.md
echo EOF
} >> "$GITHUB_ENV"
- name: "Download pre-release report"
uses: dawidd6/action-download-artifact@v2
with:
run_id: ${{ github.event.workflow_run.id }}
name: prerelease-report.md
- name: "Put pre-release report on the environment"
id: prerelease_report
run: |
{
echo 'PRERELEASE_REPORT<<EOF'
cat prerelease-report.md
echo EOF
} >> "$GITHUB_ENV"
- name: "Comment on PR with Wrangler link"
uses: marocchino/sticky-pull-request-comment@v2
with:
number: ${{ env.WORKFLOW_RUN_PR_FOR_WRANGLER }}
message: |
${{ env.PRERELEASE_REPORT }}
---
${{ env.RUNTIME_VERSIONS }}

23
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test13.yml vendored Normal file
View File

@@ -0,0 +1,23 @@
name: publish
on:
pull_request_target:
branches:
- main
jobs:
need-publish:
permissions:
actions: write
name: Need Publish
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.ref }}
- name: Get commit message
run: |
COMMIT_MESSAGE=$(git log --format=%s)
echo "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV
- name: Get commit message
run: |
echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV

30
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test14.yml vendored Normal file
View File

@@ -0,0 +1,30 @@
name: Pull Request Open
on:
pull_request_target:
jobs:
test1:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
ref: ${{ github.event.pull_request.head.sha }}
- id: changed-files
run: |
echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"
- run: echo "${{ env.CHANGED-FILES }}"
test2:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
ref: ${{ github.event.pull_request.head.sha }}
- id: changed-files
run: |
FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)
echo "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"
- run: echo "${{ env.CHANGED-FILES }}"

29
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test15.yml vendored Normal file
View File

@@ -0,0 +1,29 @@
name: Pull Request Open
on:
pull_request_target:
jobs:
test1:
runs-on: ubuntu-latest
steps:
- id: title
run: |
echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"
- run: echo "$TITLE"
test2:
runs-on: ubuntu-latest
steps:
- id: title
run: |
PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})
echo "BODY=$PR_BODY" >> "$GITHUB_ENV"
- run: echo "$TITLE"
test3:
runs-on: ubuntu-latest
steps:
- run: |
echo "branch_name=$(jq --raw-output .pull_request.head.ref $GITHUB_EVENT_PATH)" >> $GITHUB_ENV

35
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test16.yml vendored Normal file
View File

@@ -0,0 +1,35 @@
name: Pull Request Open
on:
workflow_run:
jobs:
test1:
runs-on: ubuntu-latest
steps:
- name: Download PR metadata
uses: dawidd6/action-download-artifact@e6e25ac3a2b93187502a8be1ef9e9603afc34925 # v2.24.2
with:
workflow: ${{ github.event.workflow_run.workflow_id }}
name: pr_metadata
- run: |
# VULNERABLE
echo "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV
- run: |
# VULNERABLE
echo "PR_NUMBER=$(cat pr_number.txt | tr ',' '\n')" >> $GITHUB_ENV
- run: |
# NOT VULNERABLE
echo "PR_NUMBER=$(cat pr_number.txt | tr '\n' ' ')" >> $GITHUB_ENV
- run: |
# NOT VULNERABLE
echo "PR_NUMBER=$(cat pr_number.txt | tr -d '\n')" >> $GITHUB_ENV
- run: |
# NOT VULNERABLE
echo "PR_NUMBER=$(cat pr_number.txt | tr -cd '[:alpha:]_')" >> $GITHUB_ENV
- run: |
# NOT VULNERABLE
echo "PR_NUMBER=$(cat pr_number.txt | tail -n 1)" >> $GITHUB_ENV
- run: |
# NOT VULNERABLE
echo "PR_NUMBER=$(cat pr_number.txt | head -n 1)" >> $GITHUB_ENV

36
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test17.yml vendored Normal file
View File

@@ -0,0 +1,36 @@
on:
push:
branches: [main]
workflow_dispatch:
inputs:
pypi:
type: boolean
description: Publish
jobs:
publish:
runs-on: ubuntu-latest
permissions:
id-token: write
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
token: ${{ secrets._GITHUB_TOKEN }}
- name: Extract PR Details
env:
GH_TOKEN: ${{ secrets._GITHUB_TOKEN }}
run: |
# Check if the event is a pull request or pull_request_target
if [ "${{ github.event_name }}" = "pull_request" ] || [ "${{ github.event_name }}" = "pull_request_target" ]; then
PR_NUMBER=${{ github.event.pull_request.number }}
PR_TITLE=$(gh pr view $PR_NUMBER --json title --jq '.title')
else
# Use gh to find the PR associated with the commit
COMMIT_SHA=${{ github.event.after }}
PR_JSON=$(gh pr list --search "${COMMIT_SHA}" --state merged --json number,title --jq '.[0]')
PR_NUMBER=$(echo $PR_JSON | jq -r '.number')
PR_TITLE=$(echo $PR_JSON | jq -r '.title')
fi
echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_ENV
echo "PR_TITLE=$PR_TITLE" >> $GITHUB_ENV

32
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test18.yml vendored Normal file
View File

@@ -0,0 +1,32 @@
on:
schedule:
- cron: '0 0 * * *'
pull_request:
types: [ opened, synchronize, reopened ]
branches: ["master", "*-rc"]
workflow_dispatch:
jobs:
tests:
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
- name: Set Branch Variables
id: set-branch-variables
env:
github_event_pull_request_head_repo_owner_login: ${{ github.event.pull_request.head.repo.owner.login }}
github_repository_owner: ${{ github.repository_owner }}
run: |
# Set the Repo Owner
REPO_OWNER="${github_event_pull_request_head_repo_owner_login:-$github_repository_owner}"
echo "REPO_OWNER=$REPO_OWNER" >> $GITHUB_ENV
- name: Sanitize Github Variables
id: sanitize-github-variables
env:
GITHUB_EVENT_PULL_REQUEST_TITLE: ${{ github.event.pull_request.title }}
run: |
# Delete non-alphanumeric characters and limit to 75 chars which is the branch title limit in GitHub
SAFE_PULL_REQUEST_TITLE=$(echo "${GITHUB_EVENT_PULL_REQUEST_TITLE}" | tr -cd '[:alnum:]_ -' | cut -c1-75)
echo "SAFE_PULL_REQUEST_TITLE=$SAFE_PULL_REQUEST_TITLE" >> $GITHUB_ENV

40
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test19.yml vendored Normal file
View File

@@ -0,0 +1,40 @@
on:
pull_request:
workflow_dispatch:
jobs:
build:
if: ${{ github.repository_owner == 'test' }}
runs-on: ubuntu-latest
steps:
- name: Get the appropriate Endo branch
id: branch
uses: actions/github-script@v7
with:
result-encoding: string
script: |-
let branch = 'NOPE';
if (context.payload.pull_request) {
const { body } = context.payload.pull_request;
const regex = /^\#endo-branch:\s+(\S+)/m;
const result = regex.exec(body);
if (result) {
branch = result[1];
}
}
return branch;
- name: check out
id: checkout
if: steps.branch.outputs.result != 'NOPE'
uses: actions/checkout@v4
with:
repository: test/test
path: ./tmp
ref: ${{ steps.branch.outputs.result }}
clean: 'false'
submodules: 'true'
persist-credentials: false
- name: Find Netlify site ID
run: |
echo "NETLIFY_SITE_ID=$(cat COVERAGE_NETLIFY_SITE_ID)" >> $GITHUB_ENV

43
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test2.yml vendored Normal file
View File

@@ -0,0 +1,43 @@
name: Test
on:
workflow_run:
workflows: ["Generate Preview"]
types:
- completed
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: 'Download artifact'
uses: actions/github-script@v3.1.0
with:
script: |
var artifacts = await github.actions.listWorkflowRunArtifacts({
owner: context.repo.owner,
repo: context.repo.repo,
run_id: ${{ github.event.workflow_run.id }},
});
var matchPrArtifact = artifacts.data.artifacts.filter((artifact) => {
return artifact.name == "pr"
})[0];
var matchPreviewArtifact = artifacts.data.artifacts.filter((artifact) => {
return artifact.name == "preview"
})[0];
var downloadPr = await github.actions.downloadArtifact({
owner: context.repo.owner,
repo: context.repo.repo,
artifact_id: matchPrArtifact.id,
archive_format: 'zip',
});
var downloadPreview = await github.actions.downloadArtifact({
owner: context.repo.owner,
repo: context.repo.repo,
artifact_id: matchPreviewArtifact.id,
archive_format: 'zip',
});
var fs = require('fs');
fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(downloadPr.data));
- run: |
unzip pr.zip
echo "pr_number=$(cat NR)" >> $GITHUB_ENV

23
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test3.yml vendored Normal file
View File

@@ -0,0 +1,23 @@
name: Test
on:
workflow_run:
workflows: ['checks']
types:
- completed
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Download PR metadata
uses: dawidd6/action-download-artifact@e6e25ac3a2b93187502a8be1ef9e9603afc34925 # v2.24.2
with:
workflow: ${{ github.event.workflow_run.workflow_id }}
workflow_conclusion: ''
name: pr_metadata
if_no_artifact_found: 'ignore'
- run: |
echo "PR_NUMBER=$(cat pr_number.txt | jq -r .)" >> $GITHUB_ENV
echo "PR_HEAD_REPO=$(cat pr_head_repo.txt | jq -Rr .)" >> $GITHUB_ENV
echo "PR_HEAD_REF=$(cat pr_head_ref.txt | jq -Rr .)" >> $GITHUB_ENV

71
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml vendored Normal file
View File

@@ -0,0 +1,71 @@
name: Test
on:
pull_request_target:
jobs:
test:
runs-on: ubuntu-latest
steps:
- env:
TITLE: ${{ github.event.pull_request.title }}
run: |
echo "PR_TITLE=$TITLE" >> $GITHUB_ENV
- env:
TITLE: ${{ github.event.pull_request.title }}
run: |
echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV
- env:
TITLE: ${{ github.event.pull_request.title }}
run: |
echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV
- env:
TITLE: ${{ github.event.pull_request.title }}
run: |
echo "PR_TITLE<<EOF" >> $GITHUB_ENV
echo "$TITLE" >> $GITHUB_ENV
echo "EOF" >> $GITHUB_ENV
- env:
TITLE: ${{ github.event.pull_request.title }}
run: |
echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"
echo "$TITLE" >> "${GITHUB_ENV}"
echo "EOF" >> "${GITHUB_ENV}"
- env:
TITLE: ${{ github.event.pull_request.title }}
run: |
{
echo 'JSON_RESPONSE<<EOF'
echo "$TITLE"
echo EOF
} >> "$GITHUB_ENV"
- env:
TITLE: ${{ github.event.pull_request.title }}
run: |
cat <<-EOF >> "$GITHUB_ENV"
FOO=$TITLE
EOF
- env:
TITLE: ${{ github.event.pull_request.head.ref }}
run: |
echo "PR_TITLE=$TITLE" >> $GITHUB_ENV
- run: echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV
env:
TARGET_BRANCH: ${{ github.head_ref }}
- run: echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV
env:
TARGET_BRANCH: ${{ github.event.pull_request.title }}
- run: echo ISSUE_KEY=$(echo "${TITLE}" | grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV
env:
TITLE: ${{ github.event.pull_request.title }}
- env:
TITLE: |-
${{ github.event.pull_request.title }}
run: |
cat > issue.txt << EOL
${TITLE}
EOL
echo REPO_NAME=$(cat issue.txt | sed 's/\r/\n/g' | grep -ioE '\s*[a-z0-9_-]+/[a-z0-9_-]+\s*$' | tr -d ' ') >> $GITHUB_ENV

36
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test5.yml vendored Normal file
View File

@@ -0,0 +1,36 @@
name: Test
on:
workflow_run:
workflows: ["Build/Test"]
types: [completed]
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: 'Download code coverage'
uses: actions/github-script@v7
with:
script: |
let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
owner: context.repo.owner,
repo: context.repo.repo,
run_id: context.payload.workflow_run.id,
});
let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => {
return artifact.name == "oc-code-coverage"
})[0];
let download = await github.rest.actions.downloadArtifact({
owner: context.repo.owner,
repo: context.repo.repo,
artifact_id: matchArtifact.id,
archive_format: 'zip',
});
let fs = require('fs');
fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/oc-code-coverage.zip`, Buffer.from(download.data));
- name: 'Unzip code coverage'
run: unzip oc-code-coverage.zip -d coverage
- name: set env vars
run: |
echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV
echo "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV
echo "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV

28
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test6.yml vendored Normal file
View File

@@ -0,0 +1,28 @@
name: Test
on:
pull_request_target:
jobs:
test:
runs-on: ubuntu-latest
steps:
- env:
TITLE: ${{ github.event.pull_request.title }}
run: |
FOO=${TITLE##*/}
echo PR_TITLE=${FOO} >> $GITHUB_ENV
- env:
TITLE: ${{ github.event.pull_request.title }}
run: |
FOO=$TITLE+
echo PR_TITLE=$FOO >> $GITHUB_ENV
- env:
TITLE: ${{ github.event.pull_request.title }}
run: |
venv="$(echo $TITLE)')"
echo "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV

25
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test7.yml vendored Normal file
View File

@@ -0,0 +1,25 @@
# Second Workflow
# It consumes an artifact produced by the First Workflow
on: workflow_run
jobs:
my-second-job:
runs-on: ubuntu-latest
steps:
- name: download pr artifact
uses: dawidd6/action-download-artifact@v2
with:
workflow: ${{github.event.workflow_run.workflow_id}}
run_id: ${{github.event.workflow_run.id}}
name: artifact
- name: Load .env file
uses: aarcangeli/load-dotenv@v1.0.0
with:
path: 'backend/new'
filenames: |
.env
.env.test
quiet: false
if-file-not-found: error

39
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test8.yml vendored Normal file
View File

@@ -0,0 +1,39 @@
name: Tests
on:
workflow_run:
workflows: ["tests"]
types:
- completed
permissions: { contents: read }
jobs:
unit-test-results:
name: Test
runs-on: ubuntu-latest
permissions:
actions: write
statuses: write
checks: write
pull-requests: write
contents: write
steps:
- uses: actions/checkout@v4
- name: Download and Extract Artifacts
uses: dawidd6/action-download-artifact@v6
with:
run_id: ${{ github.event.workflow_run.id }}
path: ./artifacts
- name: assignment
run: |
foo=$(cat ./artifacts/parent-artifacts/event.txt)
echo "foo=$foo" >> $GITHUB_ENV
- name: direct 1
run: |
echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV
- name: direct 2
run: |
echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV

41
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test9.yml vendored Normal file
View File

@@ -0,0 +1,41 @@
name: tests
on:
workflow_run:
workflows: ["Tests"]
types:
- completed
permissions: { contents: read }
jobs:
get-artifacts:
name: Get required artifacts
runs-on: ubuntu-latest
permissions:
actions: read
statuses: write
steps:
- name: Download and extract event file
uses: actions/download-artifact@v4
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
run-id: ${{ github.event.workflow_run.id }}
name: event_file
path: artifacts/event_file
- name: Try to read PR number
id: set-ref
run: |
pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)
if [ -z "$pr_num" ] || [ "$pr_num" == "null" ]; then
pr_num=""
fi
ref=$pr_num
if [ -z "$ref" ] || [ "$ref" == "null" ]; then
ref=${{ github.ref }}
fi
echo "pr_num=$pr_num" >> $GITHUB_ENV
echo "ref=$ref" >> $GITHUB_ENV

24
actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected Normal file
View File

@@ -0,0 +1,24 @@
edges
| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | provenance | Config |
| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | provenance | Config |
| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | provenance | Config |
| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | provenance | Config |
| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | provenance | Config |
nodes
| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | semmle.label | echo $(echo "$PATHINJ") >> $GITHUB_PATH |
| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | semmle.label | echo $PATHINJ >> $GITHUB_PATH |
| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | semmle.label | echo ${PATHINJ} >> $GITHUB_PATH |
| .github/workflows/path1.yml:21:9:25:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | semmle.label | echo "$(cat foo/bar)" >> $GITHUB_PATH |
| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | semmle.label | echo "::add-path::$PATHINJ" |
subpaths
#select
| .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |

1
actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE-077/EnvPathInjectionCritical.ql

19
actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected Normal file
View File

@@ -0,0 +1,19 @@
edges
| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | provenance | Config |
| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | provenance | Config |
| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | provenance | Config |
| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | provenance | Config |
| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | provenance | Config |
nodes
| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | semmle.label | echo $(echo "$PATHINJ") >> $GITHUB_PATH |
| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | semmle.label | echo $PATHINJ >> $GITHUB_PATH |
| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | semmle.label | echo ${PATHINJ} >> $GITHUB_PATH |
| .github/workflows/path1.yml:21:9:25:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | semmle.label | echo "$(cat foo/bar)" >> $GITHUB_PATH |
| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | semmle.label | echo "::add-path::$PATHINJ" |
subpaths
#select

1
actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE-077/EnvPathInjectionMedium.ql

131
actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected Normal file
View File

@@ -0,0 +1,131 @@
edges
| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config |
| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<<EOF'\n cat foo\n echo EOF\n} >> "$GITHUB_ENV"\n | provenance | Config |
| .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config |
| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<<EOF'\n echo "$TITLE"\n echo EOF\n} >> "$GITHUB_ENV"\n | provenance | Config |
| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | provenance | Config |
| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | provenance | Config |
| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | provenance | Config |
| .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | provenance | Config |
| .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | provenance | Config |
| .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | provenance | Config |
| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | provenance | Config |
| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | provenance | Config |
| .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | provenance | Config |
| .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | provenance | Config |
nodes
| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | semmle.label | Run Step |
| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | semmle.label | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n |
| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | semmle.label | Run Step |
| .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n |
| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | semmle.label | Run Step |
| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<<EOF'\n cat foo\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<<EOF'\n cat foo\n echo EOF\n} >> "$GITHUB_ENV"\n |
| .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n |
| .github/workflows/test3.yml:13:7:20:4 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | semmle.label | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n |
| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | semmle.label | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n |
| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | semmle.label | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n |
| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | semmle.label | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n |
| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | semmle.label | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n |
| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n |
| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<<EOF'\n echo "$TITLE"\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<<EOF'\n echo "$TITLE"\n echo EOF\n} >> "$GITHUB_ENV"\n |
| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | semmle.label | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n |
| .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | semmle.label | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV |
| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | semmle.label | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV |
| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test5.yml:10:9:30:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | semmle.label | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n |
| .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | semmle.label | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n |
| .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | semmle.label | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n |
| .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | semmle.label | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n |
| .github/workflows/test7.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test7.yml:16:9:24:35 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test8.yml:24:9:30:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | semmle.label | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n |
| .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | semmle.label | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n |
| .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | semmle.label | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n |
| .github/workflows/test9.yml:19:9:27:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | semmle.label | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n |
| .github/workflows/test10.yml:20:9:26:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | semmle.label | cat foo/.github/java-config.env >> $GITHUB_ENV |
| .github/workflows/test11.yml:15:9:21:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n |
| .github/workflows/test12.yml:38:9:46:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n |
| .github/workflows/test12.yml:55:9:61:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n |
| .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | semmle.label | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n |
| .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | semmle.label | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n |
| .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | semmle.label | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n |
| .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | semmle.label | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n |
| .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | semmle.label | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n |
| .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | semmle.label | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n |
| .github/workflows/test16.yml:10:9:15:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n |
| .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n |
subpaths
#select
| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:4:3:4:14 | workflow_run | workflow_run |
| .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:4:3:4:14 | workflow_run | workflow_run |
| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<<EOF'\n cat foo\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<<EOF'\n cat foo\n echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<<EOF'\n cat foo\n echo EOF\n} >> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<<EOF'\n cat foo\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:4:3:4:14 | workflow_run | workflow_run |
| .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:3:3:3:14 | workflow_run | workflow_run |
| .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:3:3:3:14 | workflow_run | workflow_run |
| .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<<EOF'\n echo "$TITLE"\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<<EOF'\n echo "$TITLE"\n echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<<EOF'\n echo "$TITLE"\n echo EOF\n} >> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<<EOF'\n echo "$TITLE"\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:3:3:3:14 | workflow_run | workflow_run |
| .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/test7.yml:16:9:24:35 | Uses Step | .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Uses Step | .github/workflows/test7.yml:4:5:4:16 | workflow_run | workflow_run |
| .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run |
| .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run |
| .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run |
| .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:4:3:4:14 | workflow_run | workflow_run |
| .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test11.yml:4:3:4:14 | workflow_run | workflow_run |
| .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run |
| .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run |
| .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run |
| .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:3:3:3:21 | pull_request_target | pull_request_target |
| .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:3:3:3:21 | pull_request_target | pull_request_target |
| .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | .github/workflows/test16.yml:4:3:4:14 | workflow_run | workflow_run |
| .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | .github/workflows/test16.yml:4:3:4:14 | workflow_run | workflow_run |

1
actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE-077/EnvVarInjectionCritical.ql

95
actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected Normal file
View File

@@ -0,0 +1,95 @@
edges
| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config |
| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<<EOF'\n cat foo\n echo EOF\n} >> "$GITHUB_ENV"\n | provenance | Config |
| .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config |
| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<<EOF'\n echo "$TITLE"\n echo EOF\n} >> "$GITHUB_ENV"\n | provenance | Config |
| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | provenance | Config |
| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | provenance | Config |
| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | provenance | Config |
| .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | provenance | Config |
| .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | provenance | Config |
| .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | provenance | Config |
| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | provenance | Config |
| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | provenance | Config |
| .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | provenance | Config |
| .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | provenance | Config |
nodes
| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | semmle.label | Run Step |
| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | semmle.label | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n |
| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | semmle.label | Run Step |
| .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n |
| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | semmle.label | Run Step |
| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<<EOF'\n cat foo\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<<EOF'\n cat foo\n echo EOF\n} >> "$GITHUB_ENV"\n |
| .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n |
| .github/workflows/test3.yml:13:7:20:4 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | semmle.label | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n |
| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | semmle.label | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n |
| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | semmle.label | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n |
| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | semmle.label | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n |
| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | semmle.label | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n |
| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n |
| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<<EOF'\n echo "$TITLE"\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<<EOF'\n echo "$TITLE"\n echo EOF\n} >> "$GITHUB_ENV"\n |
| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | semmle.label | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n |
| .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | semmle.label | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV |
| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | semmle.label | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV |
| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test5.yml:10:9:30:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | semmle.label | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n |
| .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | semmle.label | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n |
| .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | semmle.label | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n |
| .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | semmle.label | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n |
| .github/workflows/test7.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test7.yml:16:9:24:35 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test8.yml:24:9:30:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | semmle.label | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n |
| .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | semmle.label | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n |
| .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | semmle.label | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n |
| .github/workflows/test9.yml:19:9:27:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | semmle.label | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n |
| .github/workflows/test10.yml:20:9:26:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | semmle.label | cat foo/.github/java-config.env >> $GITHUB_ENV |
| .github/workflows/test11.yml:15:9:21:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n |
| .github/workflows/test12.yml:38:9:46:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n |
| .github/workflows/test12.yml:55:9:61:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n |
| .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | semmle.label | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n |
| .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | semmle.label | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n |
| .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | semmle.label | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n |
| .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | semmle.label | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n |
| .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | semmle.label | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n |
| .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | semmle.label | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n |
| .github/workflows/test16.yml:10:9:15:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n |
| .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n |
subpaths
#select

1
actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE-077/EnvVarInjectionMedium.ql

196
actions/ql/test/query-tests/Security/CWE-078/.github/actions/run-airbyte-ci/action.yaml vendored Normal file
View File

@@ -0,0 +1,196 @@
name: "Run Dagger pipeline"
description: "Runs a given dagger pipeline"
inputs:
subcommand:
description: "Subcommand for airbyte-ci"
required: true
context:
description: "CI context (e.g., pull_request, manual)"
required: true
github_token:
description: "GitHub token"
required: false
dagger_cloud_token:
description: "Dagger Cloud token"
required: false
docker_hub_username:
description: "Dockerhub username"
required: false
docker_hub_password:
description: "Dockerhub password"
required: false
options:
description: "Options for the subcommand"
required: false
production:
description: "Whether to run in production mode"
required: false
default: "True"
report_bucket_name:
description: "Bucket name for CI reports"
required: false
default: "airbyte-ci-reports-multi"
gcp_gsm_credentials:
description: "GCP credentials for GCP Secret Manager"
required: false
default: ""
gcp_integration_tester_credentials:
description: "GCP credentials for integration tests"
required: false
default: ""
git_repo_url:
description: "Git repository URL"
default: https://github.com/airbytehq/airbyte.git
required: false
git_branch:
description: "Git branch to checkout"
required: false
git_revision:
description: "Git revision to checkout"
required: false
slack_webhook_url:
description: "Slack webhook URL"
required: false
metadata_service_gcs_credentials:
description: "GCP credentials for metadata service"
required: false
metadata_service_bucket_name:
description: "Bucket name for metadata service"
required: false
default: "prod-airbyte-cloud-connector-metadata-service"
sentry_dsn:
description: "Sentry DSN"
required: false
spec_cache_bucket_name:
description: "Bucket name for GCS spec cache"
required: false
default: "io-airbyte-cloud-spec-cache"
spec_cache_gcs_credentials:
description: "GCP credentials for GCS spec cache"
required: false
gcs_credentials:
description: "GCP credentials for GCS"
required: false
ci_job_key:
description: "CI job key"
required: false
s3_build_cache_access_key_id:
description: "Gradle S3 Build Cache AWS access key ID"
required: false
s3_build_cache_secret_key:
description: "Gradle S3 Build Cache AWS secret key"
required: false
airbyte_ci_binary_url:
description: "URL to airbyte-ci binary"
required: false
default: https://connectors.airbyte.com/airbyte-ci/releases/ubuntu/latest/airbyte-ci
python_registry_token:
description: "Python registry API token to publish python package"
required: false
is_fork:
description: "Whether the PR is from a fork"
required: false
default: "false"
max_attempts:
description: "Number of attempts at running the airbyte-ci command"
required: false
default: 1
retry_wait_seconds:
description: "Number of seconds to wait between retry attempts"
required: false
default: 60
runs:
using: "composite"
steps:
- name: Get start timestamp
id: get-start-timestamp
shell: bash
run: echo "start-timestamp=$(date +%s)" >> $GITHUB_OUTPUT
- name: Docker login
id: docker-login
uses: docker/login-action@v3
if: ${{ inputs.docker_hub_username != '' && inputs.docker_hub_password != '' }}
with:
username: ${{ inputs.docker_hub_username }}
password: ${{ inputs.docker_hub_password }}
- name: Install Airbyte CI
id: install-airbyte-ci
uses: ./.github/actions/install-airbyte-ci
with:
airbyte_ci_binary_url: ${{ inputs.airbyte_ci_binary_url }}
is_fork: ${{ inputs.is_fork }}
- name: Run airbyte-ci
id: run-airbyte-ci
uses: nick-fields/retry@v3
env:
CI: "True"
CI_GIT_USER: ${{ github.repository_owner }}
CI_PIPELINE_START_TIMESTAMP: ${{ steps.get-start-timestamp.outputs.start-timestamp }}
PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }}
# Next environment variables are workflow inputs based and can be set with empty values if the inputs are not required and passed
CI_CONTEXT: "${{ inputs.context }}"
CI_GIT_BRANCH: ${{ inputs.git_branch || github.head_ref }}
CI_GIT_REPO_URL: ${{ inputs.git_repo_url }}
CI_GIT_REVISION: ${{ inputs.git_revision || github.sha }}
CI_GITHUB_ACCESS_TOKEN: ${{ inputs.github_token }}
CI_JOB_KEY: ${{ inputs.ci_job_key }}
CI_REPORT_BUCKET_NAME: ${{ inputs.report_bucket_name }}
DAGGER_CLOUD_TOKEN: "${{ inputs.dagger_cloud_token }}"
DOCKER_HUB_PASSWORD: ${{ inputs.docker_hub_password }}
DOCKER_HUB_USERNAME: ${{ inputs.docker_hub_username }}
GCP_GSM_CREDENTIALS: ${{ inputs.gcp_gsm_credentials }}
GCP_INTEGRATION_TESTER_CREDENTIALS: ${{ inputs.gcp_integration_tester_credentials }}
GCS_CREDENTIALS: ${{ inputs.gcs_credentials }}
METADATA_SERVICE_BUCKET_NAME: ${{ inputs.metadata_service_bucket_name }}
METADATA_SERVICE_GCS_CREDENTIALS: ${{ inputs.metadata_service_gcs_credentials }}
PRODUCTION: ${{ inputs.production }}
PYTHON_REGISTRY_TOKEN: ${{ inputs.python_registry_token }}
PYTHON_REGISTRY_URL: ${{ inputs.python_registry_url }}
S3_BUILD_CACHE_ACCESS_KEY_ID: ${{ inputs.s3_build_cache_access_key_id }}
S3_BUILD_CACHE_SECRET_KEY: ${{ inputs.s3_build_cache_secret_key }}
SENTRY_DSN: ${{ inputs.sentry_dsn }}
SLACK_WEBHOOK: ${{ inputs.slack_webhook_url }}
SPEC_CACHE_BUCKET_NAME: ${{ inputs.spec_cache_bucket_name }}
SPEC_CACHE_GCS_CREDENTIALS: ${{ inputs.spec_cache_gcs_credentials }}
with:
shell: bash
max_attempts: ${{ inputs.max_attempts }}
retry_wait_seconds: ${{ inputs.retry_wait_seconds }}
# 360mn > 6 hours: it's the GitHub runner max job duration
timeout_minutes: 360
command: |
airbyte-ci --disable-update-check --disable-dagger-run --is-ci --gha-workflow-run-id=${{ github.run_id }} ${{ inputs.subcommand }} ${{ inputs.options }}
- name: Stop Engine
id: stop-engine
if: always()
shell: bash
run: |
mapfile -t containers < <(docker ps --filter name="dagger-engine-*" -q)
if [[ "${#containers[@]}" -gt 0 ]]; then
# give 5mn to the Dagger Engine to push cache data to Dagger Cloud
docker stop -t 300 "${containers[@]}";
fi
- name: Collect dagger engine logs
id: collect-dagger-engine-logs
if: always()
uses: jwalton/gh-docker-logs@v2
with:
dest: "./dagger_engine_logs"
images: "registry.dagger.io/engine"
- name: Tar logs
id: tar-logs
if: always()
shell: bash
run: tar cvzf ./dagger_engine_logs.tgz ./dagger_engine_logs
- name: Upload logs to GitHub
id: upload-dagger-engine-logs
if: always()
uses: actions/upload-artifact@v4
with:
name: ${{ github.job }}_dagger_engine_logs.tgz
path: ./dagger_engine_logs.tgz
retention-days: 7

9
actions/ql/test/query-tests/Security/CWE-078/.github/workflows/comment_issue.yml vendored Normal file
View File

@@ -0,0 +1,9 @@
on: issue_comment
jobs:
test1:
runs-on: ubuntu-latest
steps:
- uses: ruby/setup-ruby@v2
with:
ruby-version: ${{ github.event.comment.body }}

87
actions/ql/test/query-tests/Security/CWE-078/.github/workflows/documentation.yml vendored Normal file
View File

@@ -0,0 +1,87 @@
name: Documentation
on:
workflow_dispatch:
pull_request:
jobs:
parse_commit_info:
runs-on: ubuntu-latest
outputs:
can_deploy: ${{ steps.decide.outputs.can_deploy }}
deploy_to: ${{ steps.decide.outputs.deploy_to }}
steps:
- name: Checkout Code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Copy build utils
run: |
cp -r .github/utils ../utils
- name: Decide Whether to Build and/or Release
id: decide
run: |
set -xe
CAN_DEPLOY=$(python ../utils/please.py can_i_deploy_documentation)
DEPLOY_TO=$(python ../utils/please.py where_can_i_deploy_documentation)
echo "can_deploy=$CAN_DEPLOY" >> $GITHUB_OUTPUT
echo "deploy_to=$DEPLOY_TO" >> $GITHUB_OUTPUT
echo github.ref ${{ github.ref }}
build-documentation:
runs-on: ubuntu-latest
needs: parse_commit_info
strategy:
matrix:
python-version: [3.11]
steps:
- name: Checkout Code
uses: actions/checkout@v4
- name: Setup Python
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
- name: Install Quarto
uses: quarto-dev/quarto-actions/setup@v2
with:
version: pre-release
- name: Install Package
shell: bash
run: |
make doc-deps
- name: Environment Information
shell: bash
run: |
ls -la
ls -la doc
pip list
- name: Build docs
shell: bash
run: |
pushd doc; make doc; popd
- name: Environment Information
shell: bash
run: |
ls -la doc
cat doc/_variables.yml
ls -la doc/reference
- name: Deploy to Documentation to a Branch
uses: JamesIves/github-pages-deploy-action@v4
if: contains(needs.parse_commit_info.outputs.can_deploy, 'true')
with:
folder: doc/_site
branch: ${{ needs.parse_commit_info.outputs.deploy_to }}
commit-message: ${{ github.event.head_commit.message }}

63
actions/ql/test/query-tests/Security/CWE-078/.github/workflows/test1.yml vendored Normal file
View File

@@ -0,0 +1,63 @@
name: Finalize connector rollout
on:
repository_dispatch:
types: [finalize-connector-rollout]
workflow_dispatch:
inputs:
connector_name:
description: "Connector name"
required: true
action:
description: "Action to perform"
required: true
options: ["promote", "rollback"]
jobs:
finalize_rollout:
name: Finalize connector rollout
runs-on: connector-publish-large
env:
ACTION: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.action || github.event.client_payload.action }}
steps:
- name: Check action value
run: |
if [[ "${ACTION}" != "promote" && "${ACTION}" != "rollback" ]]; then
echo "Invalid action: ${ACTION}"
exit 1
fi
shell: bash
- name: Checkout Airbyte
uses: actions/checkout@v4
- name: Promote {{ github.event.client_payload.connector_name }} release candidate
id: promote-release-candidate
if: ${{ env.ACTION == 'promote' }}
uses: ./.github/actions/run-airbyte-ci
with:
context: "manual"
dagger_cloud_token: ${{ secrets.DAGGER_CLOUD_TOKEN_2 }}
docker_hub_password: ${{ secrets.DOCKER_HUB_PASSWORD }}
docker_hub_username: ${{ secrets.DOCKER_HUB_USERNAME }}
gcp_gsm_credentials: ${{ secrets.GCP_GSM_CREDENTIALS }}
gcs_credentials: ${{ secrets.METADATA_SERVICE_PROD_GCS_CREDENTIALS }}
github_token: ${{ secrets.GITHUB_TOKEN }}
metadata_service_gcs_credentials: ${{ secrets.METADATA_SERVICE_PROD_GCS_CREDENTIALS }}
sentry_dsn: ${{ secrets.SENTRY_AIRBYTE_CI_DSN }}
slack_webhook_url: ${{ secrets.PUBLISH_ON_MERGE_SLACK_WEBHOOK }}
subcommand: "connectors --name=${{ github.event.client_payload.connector_name }} publish --promote-release-candidate"
- name: Rollback {{ github.event.client_payload.connector_name }} release candidate
id: rollback-release-candidate
if: ${{ env.ACTION == 'rollback' }}
uses: ./.github/actions/run-airbyte-ci
with:
context: "manual"
dagger_cloud_token: ${{ secrets.DAGGER_CLOUD_TOKEN_2 }}
docker_hub_password: ${{ secrets.DOCKER_HUB_PASSWORD }}
docker_hub_username: ${{ secrets.DOCKER_HUB_USERNAME }}
gcp_gsm_credentials: ${{ secrets.GCP_GSM_CREDENTIALS }}
gcs_credentials: ${{ secrets.METADATA_SERVICE_PROD_GCS_CREDENTIALS }}
github_token: ${{ secrets.GITHUB_TOKEN }}
metadata_service_gcs_credentials: ${{ secrets.METADATA_SERVICE_PROD_GCS_CREDENTIALS }}
sentry_dsn: ${{ secrets.SENTRY_AIRBYTE_CI_DSN }}
slack_webhook_url: ${{ secrets.PUBLISH_ON_MERGE_SLACK_WEBHOOK }}
spec_cache_gcs_credentials: ${{ secrets.SPEC_CACHE_SERVICE_ACCOUNT_KEY_PUBLISH }}
subcommand: "connectors --name=${{ github.event.client_payload.connector_name }} publish --rollback-release-candidate"

6
actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected Normal file
View File

@@ -0,0 +1,6 @@
edges
nodes
| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body |
subpaths
#select
| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential command injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment |

1
actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE-078/CommandInjectionCritical.ql

5
actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected Normal file
View File

@@ -0,0 +1,5 @@
edges
nodes
| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body |
subpaths
#select

1
actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE-078/CommandInjectionMedium.ql

74
actions/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml vendored Normal file
View File

@@ -0,0 +1,74 @@
name: Argument injection
on:
pull_request_target:
jobs:
test1:
runs-on: ubuntu-latest
env:
TITLE: ${{github.event.pull_request.title}}
steps:
- name: Checkout
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.ref }}
- run: |
# NOT VULNERABLE
echo "s/FOO/$TITLE/g"
- run: |
# VULNERABLE
sed "s/FOO/$TITLE/g"
- run: |
# VULNERABLE
echo "foo" | sed "s/FOO/$TITLE/g" > bar
- run: |
# VULNERABLE
echo $(echo "foo" | sed "s/FOO/$TITLE/g" > bar)
- run: |
# VULNERABLE
awk "BEGIN {$TITLE}"
- run: |
# VULNERABLE
sed -i "s/git_branch = .*/git_branch = \"$GITHUB_HEAD_REF\"/" config.json
- run: |
# VULNERABLE
sed -i "s|git_branch = .*|git_branch = \"$GITHUB_HEAD_REF\"|" config.json
- run: |
# VULNERABLE
sed -e 's#<branch_to_sync>#${TITLE}#' \
-e 's#<sot_repo>#${{ env.sot_repo }}#' \
-e 's#<destination_repo>#TITLE#' \
.github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky
- run: |
# VULNERABLE
sed -e 's#<branch_to_sync>#TITLE#' \
-e 's#<sot_repo>#${{ env.sot_repo }}#' \
-e 's#<destination_repo>#${TITLE}#' \
.github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky
- run: |
# VULNERABLE
BODY=$(git log --format=%s)
sed "s/FOO/$BODY/g" > /tmp/foo
- run: |
# VULNERABLE
BODY=$(git diff --name-only HEAD)
sed "s/FOO/$BODY/g" > /tmp/foo
- run: |
# VULNERABLE
BODY=$(git diff --name-only HEAD )
sed "s/FOO/$BODY/g" > /tmp/foo
- run: |
# VULNERABLE
BODY=$(git diff --name-only HEAD^ | xargs)
sed "s/FOO/$BODY/g" > /tmp/foo
- run: |
# NOT VULNERABLE
echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT
- run: |
# NOT VULNERABLE
git log -1 --pretty=%s
- run: |
# NOT VULNERABLE
BODY=$(git log --format=%s)
sed -E 's/\s+/\n/g' <<<"$BODY"

35
actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected Normal file
View File

@@ -0,0 +1,35 @@
edges
| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | provenance | Config |
| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | provenance | Config |
| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | provenance | Config |
| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | provenance | Config |
| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | Config |
| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | Config |
nodes
| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | semmle.label | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n |
| .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | semmle.label | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n |
| .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | semmle.label | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n |
| .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | semmle.label | # VULNERABLE\nawk "BEGIN {$TITLE}"\n |
| .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | semmle.label | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n |
| .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | semmle.label | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n |
| .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n |
| .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n |
| .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n |
| .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n |
| .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n |
| .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n |
subpaths
#select
| .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | awk | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |

1
actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE-088/ArgumentInjectionCritical.ql

23
actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected Normal file
View File

@@ -0,0 +1,23 @@
edges
| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | provenance | Config |
| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | provenance | Config |
| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | provenance | Config |
| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | provenance | Config |
| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | Config |
| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | Config |
nodes
| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | semmle.label | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n |
| .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | semmle.label | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n |
| .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | semmle.label | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n |
| .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | semmle.label | # VULNERABLE\nawk "BEGIN {$TITLE}"\n |
| .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | semmle.label | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n |
| .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | semmle.label | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n |
| .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n |
| .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n |
| .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n |
| .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n |
| .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n |
| .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n |
subpaths
#select

1
actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE-088/ArgumentInjectionMedium.ql

7
actions/ql/test/query-tests/Security/CWE-094/.github/actions/action1/action.yml vendored Normal file
View File

@@ -0,0 +1,7 @@
name: 'Test'
description: 'Test'
runs:
using: 'composite'
steps:
- shell: bash
run: echo '${{ github.event.pull_request.body }}'

17
actions/ql/test/query-tests/Security/CWE-094/.github/actions/action2/action.yml vendored Normal file
View File

@@ -0,0 +1,17 @@
name: 'Hello World'
description: 'Greet someone and record the time'
inputs:
who-to-greet: # id of input
description: 'Who to greet'
required: true
default: 'World'
outputs:
time: # id of output
description: 'The time we greeted you'
runs:
using: 'docker'
steps: # this is actually invalid, used to test we correctly identify composite actions
- run: echo '${{ github.event.comment.body }}'
image: 'Dockerfile'
args:
- ${{ inputs.who-to-greet }}

9
actions/ql/test/query-tests/Security/CWE-094/.github/actions/action3/action.yml vendored Normal file
View File

@@ -0,0 +1,9 @@
name: 'Test'
description: 'Test'
runs:
using: 'composite'
steps:
- shell: bash
env:
FOO: ${{ secrets.FOO}}
run: echo '${{ github.event.pull_request.body }}'

7
actions/ql/test/query-tests/Security/CWE-094/.github/actions/action4/action.yml vendored Normal file
View File

@@ -0,0 +1,7 @@
name: 'Test'
description: 'Test'
runs:
using: 'composite'
steps:
- shell: bash
run: echo '${{ github.event.pull_request.body }}'

34
actions/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml vendored Normal file
View File

@@ -0,0 +1,34 @@
name: 'Test'
description: 'Test'
inputs:
taint:
description: 'text'
required: true
default: 'Foo'
outputs:
result:
description: "result"
value: ${{ steps.step.outputs.result }}
result2:
description: "result"
value: ${{ steps.step2.outputs.result2 }}
runs:
using: 'composite'
steps:
- shell: bash
run: echo '${{ github.event.issue.body }}'
- name: Step
id: step
env:
FOO: ${{ inputs.taint }}
shell: bash
run: echo "result=$(echo $FOO)" >> $GITHUB_OUTPUT
- id: step2
env:
FOO2: ${{ github.event.issue.body }}
shell: bash
run: echo "result2=$(echo $FOO2)" >> $GITHUB_OUTPUT
- name: Sink
id: sink
shell: bash
run: echo "${{ inputs.taint }}"

251
actions/ql/test/query-tests/Security/CWE-094/.github/actions/action6/action.yml vendored Normal file
View File

@@ -0,0 +1,251 @@
# Ultralytics Actions 🚀, AGPL-3.0 License https://ultralytics.com/license
name: "Ultralytics Actions"
author: "Ultralytics"
description: "Optimize code and docs with official Ultralytics Actions for syntax, spelling, and link checks."
branding:
icon: "code"
color: "blue"
inputs:
token:
description: "GitHub token"
required: true
labels:
description: "Run issue and PR auto-labeling"
required: false
default: "false"
python:
description: "Run Python formatting"
required: false
default: "false"
markdown:
description: "Run Markdown formatting (deprecated in favor of prettier)"
required: false
default: "false"
prettier:
description: "Run Prettier formatting for JavaScript, JSX, Angular, Vue, Flow, TypeScript, CSS, HTML, JSON, GraphQL, Markdown, YAML"
required: false
default: "false"
swift:
description: "Run Swift formatting"
required: false
default: "false"
spelling:
description: "Run Spelling checks"
required: false
default: "false"
links:
description: "Run Broken Links checks"
required: false
default: "false"
summary:
description: "Run PR Summary"
required: false
default: "false"
openai_api_key:
description: "OpenAI API Key"
required: false
openai_model:
description: "OpenAI Model"
required: false
default: "gpt-4o"
first_issue_response:
description: "Example response to a new issue"
required: false
first_pr_response:
description: "Example response to a new PR"
required: false
github_username:
description: "GitHub username for commits"
required: false
default: "UltralyticsAssistant"
github_email:
description: "GitHub email for commits"
required: false
default: "web@ultralytics.com"
runs:
using: "composite"
steps:
- uses: astral-sh/setup-uv@v3
- name: Install Dependencies
# Note tomli required for codespell with pyproject.toml
# For debug:
# python -m pip install --upgrade pip wheel
# pip install -q git+https://github.com/ultralytics/actions@main codespell tomli
run: |
packages="ultralytics-actions"
if [ "${{ inputs.spelling }}" = "true" ]; then
packages="$packages codespell tomli"
fi
# On macOS, don't use sudo as it can cause environment issues
if [ "$(uname)" = "Darwin" ]; then
pip install -q $packages
else
sudo env "PATH=$PATH" uv pip install --system $packages
fi
ultralytics-actions-info
shell: bash
# Checkout Repository ----------------------------------------------------------------------------------------------
- name: Checkout Repository
if: github.event.action != 'closed'
uses: actions/checkout@v4
with:
repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }}
token: ${{ inputs.token }}
ref: ${{ github.head_ref || github.ref }}
fetch-depth: 0
# PR Summary -------------------------------------------------------------------------------------------------------
- name: PR Summary
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.summary == 'true' && github.event.action != 'synchronize'
env:
GITHUB_TOKEN: ${{ inputs.token }}
OPENAI_API_KEY: ${{ inputs.openai_api_key }}
OPENAI_MODEL: ${{ inputs.openai_model }}
run: |
ultralytics-actions-summarize-pr
shell: bash
continue-on-error: true
# Python formatting ------------------------------------------------------------------------------------------------
# Ignores the following Docs rules to match Google-style docstrings:
# D100: Missing docstring in public module
# D104: Missing docstring in public package
# D203: 1 blank line required before class docstring
# D205: 1 blank line required between summary line and description
# D212: Multi-line docstring summary should start at the first line
# D213: Multi-line docstring summary should start at the second line
# D401: First line of docstring should be in imperative mood
# D406: Section name should end with a newline
# D407: Missing dashed underline after section
# D413: Missing blank line after last section
# --target-version is Python 3.8 for --extend-select UP (pyupgrade)
- name: Run Python
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.python == 'true' && github.event.action != 'closed'
run: |
ruff format \
--line-length 120 \
. || true
ruff check \
--fix \
--unsafe-fixes \
--extend-select I,D,UP \
--target-version py38 \
--ignore D100,D104,D203,D205,D212,D213,D401,D406,D407,D413 \
. || true
docformatter \
--wrap-summaries 120 \
--wrap-descriptions 120 \
--pre-summary-newline \
--close-quotes-on-newline \
--in-place \
--recursive \
.
shell: bash
continue-on-error: true
# Prettier (JavaScript, JSX, Angular, Vue, Flow, TypeScript, CSS, HTML, JSON, GraphQL, Markdown, YAML) -------------
- name: Run Prettier
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && (inputs.prettier == 'true' || inputs.markdown == 'true') && github.event.action != 'closed'
run: |
ultralytics-actions-update-markdown-code-blocks
npm install --global prettier
npx prettier --write "**/*.{js,jsx,ts,tsx,css,less,scss,json,yml,yaml,html,vue,svelte}" '!**/*lock.{json,yaml,yml}' '!**/*.lock' '!**/model.json'
# Handle Markdown separately
find . -name "*.md" ! -path "*/docs/*" -exec npx prettier --write {} +
if [ -d "./docs" ]; then
find ./docs -name "*.md" ! -path "*/reference/*" -exec npx prettier --tab-width 4 --write {} +
fi
shell: bash
continue-on-error: true
# - name: Fix MkDocs reference section changes
# if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && (inputs.prettier == 'true' || inputs.markdown == 'true') && github.event.action != 'closed'
# run: |
# from pathlib import Path
# for file in Path("./docs").rglob('*.md'):
# content = file.read_text()
# updated_content = content.replace(".\_","._")
# file.write_text(updated_content)
# shell: python
# continue-on-error: true
# Swift formatting -------------------------------------------------------------------------------------------------
- name: Run Swift Formatter
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.swift == 'true' && github.event.action != 'closed'
run: |
brew install swift-format
swift-format --in-place --recursive .
shell: bash
continue-on-error: true
# Spelling ---------------------------------------------------------------------------------------------------------
- name: Run Codespell
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.spelling == 'true' && github.event.action != 'closed'
run: |
codespell \
--write-changes \
--ignore-words-list "crate,nd,ned,strack,dota,ane,segway,fo,gool,winn,commend,bloc,nam,afterall,skelton,goin" \
--skip "*.pt,*.pth,*.torchscript,*.onnx,*.tflite,*.pb,*.bin,*.param,*.mlmodel,*.engine,*.npy,*.data*,*.csv,*pnnx*,*venv*,*translat*,*lock*,__pycache__*,*.ico,*.jpg,*.png,*.mp4,*.mov,/runs,/.git,./docs/??/*.md,./docs/mkdocs_??.yml"
shell: bash
continue-on-error: true
# Autolabel Issues and PRs (run before commit changes in case commit fails) ----------------------------------------
- name: Autolabel Issues and PRs
if: inputs.labels == 'true' && (github.event.action == 'opened' || github.event.action == 'created')
env:
GITHUB_TOKEN: ${{ inputs.token }}
FIRST_ISSUE_RESPONSE: ${{ inputs.first_issue_response }}
FIRST_PR_RESPONSE: ${{ inputs.first_pr_response }}
OPENAI_API_KEY: ${{ inputs.openai_api_key }}
OPENAI_MODEL: ${{ inputs.openai_model }}
run: |
ultralytics-actions-first-interaction
shell: bash
continue-on-error: true
# Commit Changes ---------------------------------------------------------------------------------------------------
- name: Commit and Push Changes
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && github.event.action != 'closed'
run: |
git config --global user.name "${{ inputs.github_username }}"
git config --global user.email "${{ inputs.github_email }}"
git pull origin ${{ github.head_ref || github.ref }}
git add .
git reset HEAD -- .github/workflows/ # workflow changes are not permitted with default token
if ! git diff --staged --quiet; then
git commit -m "Auto-format by https://ultralytics.com/actions"
git push
else
echo "No changes to commit"
fi
shell: bash
continue-on-error: false
# Broken links -----------------------------------------------------------------------------------------------------
- name: Broken Link Checker
if: inputs.links == 'true' && github.event.action != 'closed'
uses: lycheeverse/lychee-action@v2.0.2
with:
# Check all markdown and html files in repo. Ignores the following status codes to reduce false positives:
# - 403(OpenVINO, "forbidden")
# - 429(Instagram, "too many requests")
# - 500(Zenodo, "cached")
# - 502(Zenodo, "bad gateway")
# - 999(LinkedIn, "unknown status code")
args: |
--scheme https
--timeout 60
--insecure
--accept 403,429,500,502,999
--exclude-all-private
--exclude "https?://(www\.)?(github\.com|linkedin\.com|twitter\.com|instagram\.com|kaggle\.com|fonts\.gstatic\.com|url\.com)"
"./**/*.md"
"./**/*.html"
token: ${{ inputs.token }}
output: ../lychee/results.md
fail: true
continue-on-error: false

252
actions/ql/test/query-tests/Security/CWE-094/.github/actions/action7/action.yml vendored Normal file
View File

@@ -0,0 +1,252 @@
# Ultralytics Actions 🚀, AGPL-3.0 License https://ultralytics.com/license
name: "Ultralytics Actions"
author: "Ultralytics"
description: "Optimize code and docs with official Ultralytics Actions for syntax, spelling, and link checks."
branding:
icon: "code"
color: "blue"
inputs:
token:
description: "GitHub token"
required: true
labels:
description: "Run issue and PR auto-labeling"
required: false
default: "false"
python:
description: "Run Python formatting"
required: false
default: "false"
markdown:
description: "Run Markdown formatting (deprecated in favor of prettier)"
required: false
default: "false"
prettier:
description: "Run Prettier formatting for JavaScript, JSX, Angular, Vue, Flow, TypeScript, CSS, HTML, JSON, GraphQL, Markdown, YAML"
required: false
default: "false"
swift:
description: "Run Swift formatting"
required: false
default: "false"
spelling:
description: "Run Spelling checks"
required: false
default: "false"
links:
description: "Run Broken Links checks"
required: false
default: "false"
summary:
description: "Run PR Summary"
required: false
default: "false"
openai_api_key:
description: "OpenAI API Key"
required: false
openai_model:
description: "OpenAI Model"
required: false
default: "gpt-4o"
first_issue_response:
description: "Example response to a new issue"
required: false
first_pr_response:
description: "Example response to a new PR"
required: false
github_username:
description: "GitHub username for commits"
required: false
default: "UltralyticsAssistant"
github_email:
description: "GitHub email for commits"
required: false
default: "web@ultralytics.com"
runs:
using: "composite"
steps:
- uses: astral-sh/setup-uv@v3
- name: Install Dependencies
# Note tomli required for codespell with pyproject.toml
# For debug:
# python -m pip install --upgrade pip wheel
# pip install -q git+https://github.com/ultralytics/actions@main codespell tomli
run: |
packages="ultralytics-actions"
if [ "${{ inputs.spelling }}" = "true" ]; then
packages="$packages codespell tomli"
fi
# On macOS, don't use sudo as it can cause environment issues
if [ "$(uname)" = "Darwin" ]; then
pip install -q $packages
else
sudo env "PATH=$PATH" uv pip install --system $packages
fi
ultralytics-actions-info
shell: bash
# Checkout Repository ----------------------------------------------------------------------------------------------
- name: Checkout Repository
if: github.event.action != 'closed'
uses: actions/checkout@v4
with:
repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }}
token: ${{ inputs.token }}
ref: ${{ github.head_ref || github.ref }}
fetch-depth: 0
# PR Summary -------------------------------------------------------------------------------------------------------
- name: PR Summary
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.summary == 'true' && github.event.action != 'synchronize'
env:
GITHUB_TOKEN: ${{ inputs.token }}
OPENAI_API_KEY: ${{ inputs.openai_api_key }}
OPENAI_MODEL: ${{ inputs.openai_model }}
run: |
ultralytics-actions-summarize-pr
shell: bash
continue-on-error: true
# Python formatting ------------------------------------------------------------------------------------------------
# Ignores the following Docs rules to match Google-style docstrings:
# D100: Missing docstring in public module
# D104: Missing docstring in public package
# D203: 1 blank line required before class docstring
# D205: 1 blank line required between summary line and description
# D212: Multi-line docstring summary should start at the first line
# D213: Multi-line docstring summary should start at the second line
# D401: First line of docstring should be in imperative mood
# D406: Section name should end with a newline
# D407: Missing dashed underline after section
# D413: Missing blank line after last section
# --target-version is Python 3.8 for --extend-select UP (pyupgrade)
- name: Run Python
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.python == 'true' && github.event.action != 'closed'
run: |
ruff format \
--line-length 120 \
. || true
ruff check \
--fix \
--unsafe-fixes \
--extend-select I,D,UP \
--target-version py38 \
--ignore D100,D104,D203,D205,D212,D213,D401,D406,D407,D413 \
. || true
docformatter \
--wrap-summaries 120 \
--wrap-descriptions 120 \
--pre-summary-newline \
--close-quotes-on-newline \
--in-place \
--recursive \
.
shell: bash
continue-on-error: true
# Prettier (JavaScript, JSX, Angular, Vue, Flow, TypeScript, CSS, HTML, JSON, GraphQL, Markdown, YAML) -------------
- name: Run Prettier
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && (inputs.prettier == 'true' || inputs.markdown == 'true') && github.event.action != 'closed'
run: |
ultralytics-actions-update-markdown-code-blocks
npm install --global prettier
npx prettier --write "**/*.{js,jsx,ts,tsx,css,less,scss,json,yml,yaml,html,vue,svelte}" '!**/*lock.{json,yaml,yml}' '!**/*.lock' '!**/model.json'
# Handle Markdown separately
find . -name "*.md" ! -path "*/docs/*" -exec npx prettier --write {} +
if [ -d "./docs" ]; then
find ./docs -name "*.md" ! -path "*/reference/*" -exec npx prettier --tab-width 4 --write {} +
fi
shell: bash
continue-on-error: true
# - name: Fix MkDocs reference section changes
# if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && (inputs.prettier == 'true' || inputs.markdown == 'true') && github.event.action != 'closed'
# run: |
# from pathlib import Path
# for file in Path("./docs").rglob('*.md'):
# content = file.read_text()
# updated_content = content.replace(".\_","._")
# file.write_text(updated_content)
# shell: python
# continue-on-error: true
# Swift formatting -------------------------------------------------------------------------------------------------
- name: Run Swift Formatter
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.swift == 'true' && github.event.action != 'closed'
run: |
brew install swift-format
swift-format --in-place --recursive .
shell: bash
continue-on-error: true
# Spelling ---------------------------------------------------------------------------------------------------------
- name: Run Codespell
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.spelling == 'true' && github.event.action != 'closed'
run: |
codespell \
--write-changes \
--ignore-words-list "crate,nd,ned,strack,dota,ane,segway,fo,gool,winn,commend,bloc,nam,afterall,skelton,goin" \
--skip "*.pt,*.pth,*.torchscript,*.onnx,*.tflite,*.pb,*.bin,*.param,*.mlmodel,*.engine,*.npy,*.data*,*.csv,*pnnx*,*venv*,*translat*,*lock*,__pycache__*,*.ico,*.jpg,*.png,*.mp4,*.mov,/runs,/.git,./docs/??/*.md,./docs/mkdocs_??.yml"
shell: bash
continue-on-error: true
# Autolabel Issues and PRs (run before commit changes in case commit fails) ----------------------------------------
- name: Autolabel Issues and PRs
if: inputs.labels == 'true' && (github.event.action == 'opened' || github.event.action == 'created')
env:
GITHUB_TOKEN: ${{ inputs.token }}
FIRST_ISSUE_RESPONSE: ${{ inputs.first_issue_response }}
FIRST_PR_RESPONSE: ${{ inputs.first_pr_response }}
OPENAI_API_KEY: ${{ inputs.openai_api_key }}
OPENAI_MODEL: ${{ inputs.openai_model }}
run: |
ultralytics-actions-first-interaction
shell: bash
continue-on-error: true
# Commit Changes ---------------------------------------------------------------------------------------------------
- name: Commit and Push Changes
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && github.event.action != 'closed'
run: |
git config --global user.name "${{ inputs.github_username }}"
git config --global user.email "${{ inputs.github_email }}"
# this action is not called in the test
git pull origin ${{ github.head_ref || github.ref }}
git add .
git reset HEAD -- .github/workflows/ # workflow changes are not permitted with default token
if ! git diff --staged --quiet; then
git commit -m "Auto-format by https://ultralytics.com/actions"
git push
else
echo "No changes to commit"
fi
shell: bash
continue-on-error: false
# Broken links -----------------------------------------------------------------------------------------------------
- name: Broken Link Checker
if: inputs.links == 'true' && github.event.action != 'closed'
uses: lycheeverse/lychee-action@v2.0.2
with:
# Check all markdown and html files in repo. Ignores the following status codes to reduce false positives:
# - 403(OpenVINO, "forbidden")
# - 429(Instagram, "too many requests")
# - 500(Zenodo, "cached")
# - 502(Zenodo, "bad gateway")
# - 999(LinkedIn, "unknown status code")
args: |
--scheme https
--timeout 60
--insecure
--accept 403,429,500,502,999
--exclude-all-private
--exclude "https?://(www\.)?(github\.com|linkedin\.com|twitter\.com|instagram\.com|kaggle\.com|fonts\.gstatic\.com|url\.com)"
"./**/*.md"
"./**/*.html"
token: ${{ inputs.token }}
output: ../lychee/results.md
fail: true
continue-on-error: false

47
actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml vendored Normal file
View File

@@ -0,0 +1,47 @@
name: Clone repository
description: Clone repository
inputs:
title:
description: Title
required: true
forked-pr:
description: Whether the event is operating from a forked PR
required: true
fetch-depth:
description: Fetch depth for actions/checkout
default: "1"
outputs:
result:
description: "result"
value: ${{ steps.out.outputs.replaced }}
runs:
using: composite
steps:
- shell: bash
run: echo "${{ inputs.title }}"
- uses: frabert/replace-string-action@v2.5
id: out
with:
pattern: "\""
string: ${{ inputs.title }}
replace-with: 'foo'
flags: g
- id: out2
env:
FOO: ${{ inputs.title }}
shell: bash
run: echo "result=$(echo $FOO)" >> $GITHUB_OUTPUT
- name: Clone branch
if: "!fromJSON(inputs.forked-pr)"
uses: actions/checkout@v3
with:
fetch-depth: ${{ inputs.fetch-depth }}
- name: Clone forked PR
if: fromJSON(inputs.forked-pr)
uses: actions/checkout@v3
with:
ref: refs/pull/${{ github.event.number }}/merge
fetch-depth: ${{ inputs.fetch-depth }}

258
actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/ultralytics/actions/action.yaml vendored Normal file
View File

@@ -0,0 +1,258 @@
# Ultralytics Actions 🚀, AGPL-3.0 License https://ultralytics.com/license
name: "Ultralytics Actions"
author: "Ultralytics"
description: "Optimize code and docs with official Ultralytics Actions for syntax, spelling, and link checks."
branding:
icon: "code"
color: "blue"
inputs:
token:
description: "GitHub token"
required: true
labels:
description: "Run issue and PR auto-labeling"
required: false
default: "false"
python:
description: "Run Python formatting"
required: false
default: "false"
markdown:
description: "Run Markdown formatting (deprecated in favor of prettier)"
required: false
default: "false"
prettier:
description: "Run Prettier formatting for JavaScript, JSX, Angular, Vue, Flow, TypeScript, CSS, HTML, JSON, GraphQL, Markdown, YAML"
required: false
default: "false"
swift:
description: "Run Swift formatting"
required: false
default: "false"
spelling:
description: "Run Spelling checks"
required: false
default: "false"
links:
description: "Run Broken Links checks"
required: false
default: "false"
summary:
description: "Run PR Summary"
required: false
default: "false"
openai_api_key:
description: "OpenAI API Key"
required: false
openai_model:
description: "OpenAI Model"
required: false
default: "gpt-4o"
first_issue_response:
description: "Example response to a new issue"
required: false
first_pr_response:
description: "Example response to a new PR"
required: false
github_username:
description: "GitHub username for commits"
required: false
default: "UltralyticsAssistant"
github_email:
description: "GitHub email for commits"
required: false
default: "web@ultralytics.com"
body:
description: "PR body"
required: false
default: ""
runs:
using: "composite"
steps:
- uses: astral-sh/setup-uv@v3
- name: Install Dependencies
# Note tomli required for codespell with pyproject.toml
# For debug:
# python -m pip install --upgrade pip wheel
# pip install -q git+https://github.com/ultralytics/actions@main codespell tomli
run: |
packages="ultralytics-actions"
if [ "${{ inputs.spelling }}" = "true" ]; then
packages="$packages codespell tomli"
fi
# On macOS, don't use sudo as it can cause environment issues
if [ "$(uname)" = "Darwin" ]; then
pip install -q $packages
else
sudo env "PATH=$PATH" uv pip install --system $packages
fi
ultralytics-actions-info
shell: bash
- shell: bash
run: |
echo "${{ inputs.body }}"
# Checkout Repository ----------------------------------------------------------------------------------------------
- name: Checkout Repository
if: github.event.action != 'closed'
uses: actions/checkout@v4
with:
repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }}
token: ${{ inputs.token }}
ref: ${{ github.head_ref || github.ref }}
fetch-depth: 0
# PR Summary -------------------------------------------------------------------------------------------------------
- name: PR Summary
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.summary == 'true' && github.event.action != 'synchronize'
env:
GITHUB_TOKEN: ${{ inputs.token }}
OPENAI_API_KEY: ${{ inputs.openai_api_key }}
OPENAI_MODEL: ${{ inputs.openai_model }}
run: |
ultralytics-actions-summarize-pr
shell: bash
continue-on-error: true
# Python formatting ------------------------------------------------------------------------------------------------
# Ignores the following Docs rules to match Google-style docstrings:
# D100: Missing docstring in public module
# D104: Missing docstring in public package
# D203: 1 blank line required before class docstring
# D205: 1 blank line required between summary line and description
# D212: Multi-line docstring summary should start at the first line
# D213: Multi-line docstring summary should start at the second line
# D401: First line of docstring should be in imperative mood
# D406: Section name should end with a newline
# D407: Missing dashed underline after section
# D413: Missing blank line after last section
# --target-version is Python 3.8 for --extend-select UP (pyupgrade)
- name: Run Python
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.python == 'true' && github.event.action != 'closed'
run: |
ruff format \
--line-length 120 \
. || true
ruff check \
--fix \
--unsafe-fixes \
--extend-select I,D,UP \
--target-version py38 \
--ignore D100,D104,D203,D205,D212,D213,D401,D406,D407,D413 \
. || true
docformatter \
--wrap-summaries 120 \
--wrap-descriptions 120 \
--pre-summary-newline \
--close-quotes-on-newline \
--in-place \
--recursive \
.
shell: bash
continue-on-error: true
# Prettier (JavaScript, JSX, Angular, Vue, Flow, TypeScript, CSS, HTML, JSON, GraphQL, Markdown, YAML) -------------
- name: Run Prettier
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && (inputs.prettier == 'true' || inputs.markdown == 'true') && github.event.action != 'closed'
run: |
ultralytics-actions-update-markdown-code-blocks
npm install --global prettier
npx prettier --write "**/*.{js,jsx,ts,tsx,css,less,scss,json,yml,yaml,html,vue,svelte}" '!**/*lock.{json,yaml,yml}' '!**/*.lock' '!**/model.json'
# Handle Markdown separately
find . -name "*.md" ! -path "*/docs/*" -exec npx prettier --write {} +
if [ -d "./docs" ]; then
find ./docs -name "*.md" ! -path "*/reference/*" -exec npx prettier --tab-width 4 --write {} +
fi
shell: bash
continue-on-error: true
# - name: Fix MkDocs reference section changes
# if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && (inputs.prettier == 'true' || inputs.markdown == 'true') && github.event.action != 'closed'
# run: |
# from pathlib import Path
# for file in Path("./docs").rglob('*.md'):
# content = file.read_text()
# updated_content = content.replace(".\_","._")
# file.write_text(updated_content)
# shell: python
# continue-on-error: true
# Swift formatting -------------------------------------------------------------------------------------------------
- name: Run Swift Formatter
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.swift == 'true' && github.event.action != 'closed'
run: |
brew install swift-format
swift-format --in-place --recursive .
shell: bash
continue-on-error: true
# Spelling ---------------------------------------------------------------------------------------------------------
- name: Run Codespell
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.spelling == 'true' && github.event.action != 'closed'
run: |
codespell \
--write-changes \
--ignore-words-list "crate,nd,ned,strack,dota,ane,segway,fo,gool,winn,commend,bloc,nam,afterall,skelton,goin" \
--skip "*.pt,*.pth,*.torchscript,*.onnx,*.tflite,*.pb,*.bin,*.param,*.mlmodel,*.engine,*.npy,*.data*,*.csv,*pnnx*,*venv*,*translat*,*lock*,__pycache__*,*.ico,*.jpg,*.png,*.mp4,*.mov,/runs,/.git,./docs/??/*.md,./docs/mkdocs_??.yml"
shell: bash
continue-on-error: true
# Autolabel Issues and PRs (run before commit changes in case commit fails) ----------------------------------------
- name: Autolabel Issues and PRs
if: inputs.labels == 'true' && (github.event.action == 'opened' || github.event.action == 'created')
env:
GITHUB_TOKEN: ${{ inputs.token }}
FIRST_ISSUE_RESPONSE: ${{ inputs.first_issue_response }}
FIRST_PR_RESPONSE: ${{ inputs.first_pr_response }}
OPENAI_API_KEY: ${{ inputs.openai_api_key }}
OPENAI_MODEL: ${{ inputs.openai_model }}
run: |
ultralytics-actions-first-interaction
shell: bash
continue-on-error: true
# Commit Changes ---------------------------------------------------------------------------------------------------
- name: Commit and Push Changes
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && github.event.action != 'closed'
run: |
git config --global user.name "${{ inputs.github_username }}"
git config --global user.email "${{ inputs.github_email }}"
git pull origin ${{ github.head_ref || github.ref }}
git add .
git reset HEAD -- .github/workflows/ # workflow changes are not permitted with default token
if ! git diff --staged --quiet; then
git commit -m "Auto-format by https://ultralytics.com/actions"
git push
else
echo "No changes to commit"
fi
shell: bash
continue-on-error: false
# Broken links -----------------------------------------------------------------------------------------------------
- name: Broken Link Checker
if: inputs.links == 'true' && github.event.action != 'closed'
uses: lycheeverse/lychee-action@v2.0.2
with:
# Check all markdown and html files in repo. Ignores the following status codes to reduce false positives:
# - 403(OpenVINO, "forbidden")
# - 429(Instagram, "too many requests")
# - 500(Zenodo, "cached")
# - 502(Zenodo, "bad gateway")
# - 999(LinkedIn, "unknown status code")
args: |
--scheme https
--timeout 60
--insecure
--accept 403,429,500,502,999
--exclude-all-private
--exclude "https?://(www\.)?(github\.com|linkedin\.com|twitter\.com|instagram\.com|kaggle\.com|fonts\.gstatic\.com|url\.com)"
"./**/*.md"
"./**/*.html"
token: ${{ inputs.token }}
output: ../lychee/results.md
fail: true
continue-on-error: false

29
actions/ql/test/query-tests/Security/CWE-094/.github/workflows/argus_case_study.yml vendored Normal file
View File

@@ -0,0 +1,29 @@
name: Issue Workflow
on:
issues:
types: [opened, edited]
jobs:
redirectIssue:
runs-on: ubuntu-latest
name: Check for issue transfer
env:
content_analysis_response: undefined
steps:
- uses: actions/checkout@v2
- name: Remove conflicting chars
env:
ISSUE_TITLE: ${{github.event.issue.title}}
uses: frabert/replace-string-action@1.2
id: remove_quotations
with:
pattern: "\""
string: ${{env.ISSUE_TITLE}}
replace-with: "-"
- name: Check info
id: check-info
run: |
echo "foo $(pwsh bar ${{steps.remove_quotations.outputs.replaced}}) " >> $GITHUB_ENV

28
actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml vendored Normal file
View File

@@ -0,0 +1,28 @@
name: Preview Deploy
on:
workflow_run:
workflows: ["Preview Build"]
types:
- completed
jobs:
success:
runs-on: ubuntu-latest
if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success'
steps:
- name: download pr artifact
uses: dawidd6/action-download-artifact@v2
with:
workflow: ${{ github.event.workflow_run.workflow_id }}
name: pr
- name: save PR id
id: pr
run: echo "::set-output name=id::$(<pr-id.txt)"
- name: upload surge service
id: deploy
run: |
export DEPLOY_DOMAIN=https://ant-design-pro-preview-pr-${{ steps.pr.outputs.id }}.surge.sh
npx surge --project ./ --domain $DEPLOY_DOMAIN --token ${{ secrets.SURGE_TOKEN }}

23
actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning2.yml vendored Normal file
View File

@@ -0,0 +1,23 @@
name: Preview Deploy
on:
workflow_run:
workflows: ["Preview Build"]
types:
- completed
jobs:
success:
runs-on: ubuntu-latest
steps:
- id: pr
name: Download Artifact
uses: redhat-plumbers-in-action/download-artifact@main
with:
name: README
- name: upload surge service
id: deploy
run: |
echo ${{ steps.pr.outputs.id }}

53
actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning3.yml vendored Normal file
View File

@@ -0,0 +1,53 @@
name: Dependency Tree Reporter
on:
workflow_run:
workflows: [ "Dependency Tree Input Builder" ]
types:
- completed
permissions: {}
jobs:
compare:
permissions:
actions: read
pull-requests: write
runs-on: ubuntu-latest
if: >
${{ github.event.workflow_run.event == 'pull_request' &&
github.event.workflow_run.conclusion == 'success' }}
steps:
- name: Download artifacts
uses: actions/github-script@v7.0.1
with:
script: |
var artifacts = await github.rest.actions.listWorkflowRunArtifacts({
owner: context.repo.owner,
repo: context.repo.repo,
run_id: ${{github.event.workflow_run.id }},
});
console.log(artifacts);
var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
return artifact.name == "input-artifacts"
})[0];
var download = await github.rest.actions.downloadArtifact({
owner: context.repo.owner,
repo: context.repo.repo,
artifact_id: matchArtifact.id,
archive_format: 'zip',
});
var fs = require('fs');
fs.writeFileSync('${{github.workspace}}/input.zip', Buffer.from(download.data));
- name: Set needed env vars in outputs
id: prepare
run: |
unzip input.zip
echo current directory contents
ls -al
echo Reading PR number
tmp=$(<pr)
echo "PR: ${tmp}"
echo "pr=${tmp}" >> $GITHUB_OUTPUT
- run: echo ${{ steps.prepare.outputs.pr }}

22
actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning4.yml vendored Normal file
View File

@@ -0,0 +1,22 @@
# Second Workflow
# It consumes an artifact produced by the First Workflow
on: workflow_run
jobs:
my-second-job:
runs-on: ubuntu-latest
steps:
- name: download pr artifact
uses: dawidd6/action-download-artifact@v2
with:
workflow: ${{github.event.workflow_run.workflow_id}}
run_id: ${{github.event.workflow_run.id}}
name: artifact
# Save PR id to output
- name: Save artifact data
id: artifact
run: echo "::set-output name=id::$(<artifact.txt)"
- name: Use artifact
run: echo ${{ steps.artifact.outputs.id }}

23
actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning5.yml vendored Normal file
View File

@@ -0,0 +1,23 @@
# It consumes an artifact produced by the First Workflow
on: workflow_run
jobs:
my-second-job:
runs-on: ubuntu-latest
steps:
- name: download pr artifact
uses: dawidd6/action-download-artifact@v2
with:
workflow: ${{github.event.workflow_run.workflow_id}}
run_id: ${{github.event.workflow_run.id}}
name: artifact
# Save PR id to output
- name: Save artifact data
id: artifact
uses: juliangruber/read-file-action@v1
with:
path: ./artifact.txt
- name: Use artifact
run: echo ${{ steps.artifact.outputs.content }}

30
actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning6.yml vendored Normal file
View File

@@ -0,0 +1,30 @@
# It consumes an artifact produced by the First Workflow
on: workflow_run
jobs:
my-second-job:
runs-on: ubuntu-latest
steps:
- name: download pr artifact
uses: dawidd6/action-download-artifact@v2
with:
workflow: ${{github.event.workflow_run.workflow_id}}
run_id: ${{github.event.workflow_run.id}}
name: artifact
- id: artifact
run: |
echo "::set-output name=pr_number::$(<artifact.txt)"
mkdir firebase-android
unzip firebase-android.zip -d firebase-android
- name: Use artifact
run: echo ${{ steps.artifact.outputs.pr_number }}
- id: artifact2
run: |
echo "::set-output name=pr_number::$(cat -e artifact.txt)"
mkdir firebase-android
unzip firebase-android.zip -d firebase-android
- name: Use artifact
run: echo ${{ steps.artifact2.outputs.pr_number }}

31
actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning7.yml vendored Normal file
View File

@@ -0,0 +1,31 @@
# It consumes an artifact produced by the First Workflow
on: workflow_run
jobs:
my-second-job:
runs-on: ubuntu-latest
steps:
- name: download pr artifact
uses: dawidd6/action-download-artifact@v2
with:
workflow: ${{github.event.workflow_run.workflow_id}}
run_id: ${{github.event.workflow_run.id}}
name: artifact
- id: artifact
run: |
set -eou pipefail
pr_number=$(cat -e artifact.txt)
pr_number=${pr_number%?}
pr_length=${#pr_number}
only_numbers_re="^[0-9]+$"
if ! [[ $pr_length <= 10 && $pr_number =~ $only_numbers_re ]] ; then
echo "invalid PR number"
exit 1
fi
echo "::set-output name=pr_number::$pr_number"
mkdir firebase-android
unzip firebase-android.zip -d firebase-android
- name: Use artifact
run: echo ${{ steps.artifact.outputs.pr_number }}

Some files were not shown because too many files have changed in this diff Show More