hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge Actions queries from github/codeql-actions

Browse Source
This commit is contained in:
Dave Bartolomeo
2024-12-18 14:39:43 -05:00
parent 023f48ff1c ee7680df84
commit dbc1fa6450
1310 changed files with 38329 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
actions/ql/test/query-tests/Models/.github/workflows/calling_composite.yml vendored Normal file
View File

@@ -0,0 +1,15 @@
on: [push]
jobs:
hello_world_job:
runs-on: ubuntu-latest
name: A job to say hello
steps:
- uses: actions/checkout@v4
- id: foo
uses: some-org/test-action@v1
with:
who-to-greet: ${{ github.event.pull_request.head.ref }}
- run: echo ${{ steps.foo.outputs.reflected}}
- run: echo ${{ steps.foo.outputs.tainted}}

47
actions/ql/test/query-tests/Models/.github/workflows/calling_workflow.yml vendored Normal file
View File

@@ -0,0 +1,47 @@
name: Call a reusable workflow and use its outputs
on:
workflow_dispatch:
jobs:
call1:
uses: octo-org/this-repo/.github/workflows/reusable_workflow.yml@172239021f7ba04fe7327647b213799853a9eb89
with:
config-path: ${{ github.event.pull_request.head.ref }}
call2:
uses: ./.github/workflows/reusable_workflow.yml
with:
config-path: ${{ github.event.pull_request.head.ref }}
call3:
uses: octo-org/summary-repo/.github/workflows/workflow.yml@v1
with:
config-path: ${{ github.event.pull_request.head.ref }}
call4:
uses: octo-org/source-repo/.github/workflows/workflow.yml@v1
call5:
uses: octo-org/sink-repo/.github/workflows/workflow.yml@v1
with:
config-path: ${{ github.event.pull_request.head.ref }}
job1:
runs-on: ubuntu-latest
needs: call1
steps:
- run: echo ${{ needs.call1.outputs.workflow-output }}
job2:
runs-on: ubuntu-latest
needs: call2
steps:
- run: echo ${{ needs.call2.outputs.workflow-output1 }}
- run: echo ${{ needs.call2.outputs.workflow-output2 }}
job3:
runs-on: ubuntu-latest
needs: call3
steps:
- run: echo ${{ needs.call3.outputs.workflow-output }}
job4:
runs-on: ubuntu-latest
needs: call4
steps:
- run: echo ${{ needs.call4.outputs.workflow-output }}

34
actions/ql/test/query-tests/Models/.github/workflows/reusable_workflow.yml vendored Normal file
View File

@@ -0,0 +1,34 @@
name: Reusable workflow example
on:
workflow_call:
inputs:
config-path:
required: true
type: string
outputs:
workflow-output1:
value: ${{ jobs.job1.outputs.job-output1 }}
workflow-output2:
value: ${{ jobs.job1.outputs.job-output2 }}
secrets:
token:
required: true
jobs:
job1:
runs-on: ubuntu-latest
outputs:
job-output1: ${{ steps.step1.outputs.step-output}}
job-output2: ${{ steps.step2.outputs.all_changed_files}}
steps:
- id: step1
env:
CONFIG_PATH: ${{ inputs.config-path }}
run: |
echo ${{ inputs.config-path }}
echo "::set-output name=step-output::$CONFIG_PATH"
- name: Get changed files
id: step2
uses: tj-actions/changed-files@v40

15
actions/ql/test/query-tests/Models/CompositeActionsSinks.expected Normal file
View File

@@ -0,0 +1,15 @@
edges
| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:28:18:28:43 | inputs.who-to-greet | provenance | |
| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:25:35:50 | inputs.who-to-greet | provenance | |
| action1/action.yml:24:7:31:4 | Uses Step: replace [value] | action1/action.yml:32:18:32:51 | steps.replace.outputs.value | provenance | |
| action1/action.yml:28:18:28:43 | inputs.who-to-greet | action1/action.yml:24:7:31:4 | Uses Step: replace [value] | provenance | |
nodes
| action1/action.yml:4:3:4:14 | input who-to-greet | semmle.label | input who-to-greet |
| action1/action.yml:24:7:31:4 | Uses Step: replace [value] | semmle.label | Uses Step: replace [value] |
| action1/action.yml:28:18:28:43 | inputs.who-to-greet | semmle.label | inputs.who-to-greet |
| action1/action.yml:32:18:32:51 | steps.replace.outputs.value | semmle.label | steps.replace.outputs.value |
| action1/action.yml:35:25:35:50 | inputs.who-to-greet | semmle.label | inputs.who-to-greet |
subpaths
#select
| action1/action.yml:32:18:32:51 | steps.replace.outputs.value | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:32:18:32:51 | steps.replace.outputs.value | Sink |
| action1/action.yml:35:25:35:50 | inputs.who-to-greet | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:25:35:50 | inputs.who-to-greet | Sink |

1
actions/ql/test/query-tests/Models/CompositeActionsSinks.qlref Normal file
View File

@@ -0,0 +1 @@
Models/CompositeActionsSinks.ql

21
actions/ql/test/query-tests/Models/CompositeActionsSources.expected Normal file
View File

@@ -0,0 +1,21 @@
edges
| action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | provenance | |
| action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | provenance | |
| action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | provenance | |
| action1/action.yml:44:7:48:70 | Run Step: source [tainted] | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | provenance | |
| action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | action1/action.yml:44:7:48:70 | Run Step: source [tainted] | provenance | |
nodes
| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | semmle.label | steps.reflector.outputs.reflected |
| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | semmle.label | steps.source.outputs.tainted |
| action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | semmle.label | Run Step: reflector [reflected] |
| action1/action.yml:41:30:41:55 | inputs.who-to-greet | semmle.label | inputs.who-to-greet |
| action1/action.yml:42:7:44:4 | Uses Step: changed-files | semmle.label | Uses Step: changed-files |
| action1/action.yml:44:7:48:70 | Run Step: source [tainted] | semmle.label | Run Step: source [tainted] |
| action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files |
subpaths
#select
| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Source |
| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Source |
| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source |
| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source |
| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source |

2
actions/ql/test/query-tests/Models/CompositeActionsSources.qlref Normal file
View File

@@ -0,0 +1,2 @@
Models/CompositeActionsSources.ql

12
actions/ql/test/query-tests/Models/CompositeActionsSummaries.expected Normal file
View File

@@ -0,0 +1,12 @@
edges
| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:41:30:41:55 | inputs.who-to-greet | provenance | |
| action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | provenance | |
| action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | provenance | |
nodes
| action1/action.yml:4:3:4:14 | input who-to-greet | semmle.label | input who-to-greet |
| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | semmle.label | steps.reflector.outputs.reflected |
| action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | semmle.label | Run Step: reflector [reflected] |
| action1/action.yml:41:30:41:55 | inputs.who-to-greet | semmle.label | inputs.who-to-greet |
subpaths
#select
| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Summary |

2
actions/ql/test/query-tests/Models/CompositeActionsSummaries.qlref Normal file
View File

@@ -0,0 +1,2 @@
Models/CompositeActionsSummaries.ql

24
actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.expected Normal file
View File

@@ -0,0 +1,24 @@
edges
| .github/workflows/calling_workflow.yml:12:5:15:2 | Job: call2 [workflow-output1] | .github/workflows/calling_workflow.yml:35:20:35:62 | needs.call2.outputs.workflow-output1 | provenance | |
| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | provenance | |
| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | provenance | |
| .github/workflows/reusable_workflow.yml:10:7:14:4 | output Job outputs node [workflow-output1] | .github/workflows/calling_workflow.yml:12:5:15:2 | Job: call2 [workflow-output1] | provenance | |
| .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | .github/workflows/reusable_workflow.yml:10:7:14:4 | output Job outputs node [workflow-output1] | provenance | |
| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | provenance | |
| .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | provenance | |
| .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | provenance | |
| .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | provenance | |
nodes
| .github/workflows/calling_workflow.yml:12:5:15:2 | Job: call2 [workflow-output1] | semmle.label | Job: call2 [workflow-output1] |
| .github/workflows/calling_workflow.yml:35:20:35:62 | needs.call2.outputs.workflow-output1 | semmle.label | needs.call2.outputs.workflow-output1 |
| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | semmle.label | input config-path |
| .github/workflows/reusable_workflow.yml:10:7:14:4 | output Job outputs node [workflow-output1] | semmle.label | output Job outputs node [workflow-output1] |
| .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | semmle.label | jobs.job1.outputs.job-output1 |
| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | semmle.label | Job outputs node [job-output1] |
| .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | semmle.label | steps.step1.outputs.step-output |
| .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | semmle.label | Run Step: step1 [step-output] |
| .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | semmle.label | inputs.config-path |
| .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | semmle.label | inputs.config-path |
subpaths
#select
| .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | Sink |

2
actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.qlref Normal file
View File

@@ -0,0 +1,2 @@
Models/ReusableWorkflowsSinks.ql

12
actions/ql/test/query-tests/Models/ReusableWorkflowsSources.expected Normal file
View File

@@ -0,0 +1,12 @@
edges
| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | provenance | |
| .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | provenance | |
| .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | provenance | |
nodes
| .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | semmle.label | jobs.job1.outputs.job-output2 |
| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | semmle.label | Job outputs node [job-output2] |
| .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | semmle.label | steps.step2.outputs.all_changed_files |
| .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | semmle.label | Uses Step: step2 |
subpaths
#select
| .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | Source |

2
actions/ql/test/query-tests/Models/ReusableWorkflowsSources.qlref Normal file
View File

@@ -0,0 +1,2 @@
Models/ReusableWorkflowsSources.ql

16
actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.expected Normal file
View File

@@ -0,0 +1,16 @@
edges
| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | provenance | |
| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | provenance | |
| .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | provenance | |
| .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | provenance | |
| .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | provenance | |
nodes
| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | semmle.label | input config-path |
| .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | semmle.label | jobs.job1.outputs.job-output1 |
| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | semmle.label | Job outputs node [job-output1] |
| .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | semmle.label | steps.step1.outputs.step-output |
| .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | semmle.label | Run Step: step1 [step-output] |
| .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | semmle.label | inputs.config-path |
subpaths
#select
| .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | Summary |

2
actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.qlref Normal file
View File

@@ -0,0 +1,2 @@
Models/ReusableWorkflowsSummaries.ql

51
actions/ql/test/query-tests/Models/action1/action.yml Normal file
View File

@@ -0,0 +1,51 @@
name: 'Hello World'
description: 'Greet someone'
inputs:
who-to-greet: # id of input
description: 'Who to greet'
required: true
default: 'World'
outputs:
reflected:
description: "Reflected input"
value: ${{ steps.reflector.outputs.reflected }}
tainted:
description: "Reflected input"
value: ${{ steps.source.outputs.tainted}}
runs:
using: "composite"
steps:
- name: Secure Set Greeting
run: echo "Hello $INPUT_WHO_TO_GREET."
shell: bash
env:
INPUT_WHO_TO_GREET: ${{ inputs.who-to-greet }}
- name: Remove foo
id: replace
uses: mad9000/actions-find-and-replace-string@3
with:
source: ${{ inputs.who-to-greet }}
find: 'foo'
replace: ''
- id: sink
run: echo ${{ steps.replace.outputs.value }}
shell: bash
- name: Vulnerable Set Greeting
run: echo "Hello ${{ inputs.who-to-greet }}."
shell: bash
- id: reflector
run: echo "reflected=$(echo $INPUT_WHO_TO_GREET)" >> $GITHUB_OUTPUT
shell: bash
env:
INPUT_WHO_TO_GREET: ${{ inputs.who-to-greet }}
- id: changed-files
uses: tj-actions/changed-files@v40
- id: source
run: echo "tainted=$(echo $TAINTED)" >> $GITHUB_OUTPUT
shell: bash
env:
TAINTED: ${{ steps.changed-files.outputs.all_changed_files }}

39
actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output1.yml vendored Normal file
View File

@@ -0,0 +1,39 @@
on:
issue_comment:
jobs:
test1:
runs-on: ubuntu-latest
steps:
- id: clob1
env:
BODY: ${{ github.event.comment.body }}
run: |
# VULNERABLE
echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT
echo "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT
- id: clob2
run: |
echo ${{ steps.clob1.outputs.OUTPUT_1 }}
echo ${{ steps.clob1.outputs.OUTPUT_2 }}
test2:
runs-on: ubuntu-latest
steps:
- id: clob1
env:
BODY: ${{ github.event.comment.body }}
run: |
# NOT VULNERABLE
echo "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT
test3:
runs-on: ubuntu-latest
steps:
- name: Download artifact
uses: dawidd6/action-download-artifact@v6
with:
run_id: ${{ github.event.workflow_run.id }}
name: pr_number
- id: clob1
run: |
# VULNERABLE
echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT
echo "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT

62
actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output2.yml vendored Normal file
View File

@@ -0,0 +1,62 @@
on:
issue_comment:
jobs:
test1:
runs-on: ubuntu-latest
steps:
- id: clob1
env:
BODY: ${{ github.event.comment.body }}
run: |
# VULNERABLE
echo $BODY
echo "::set-output name=OUTPUT::SAFE"
- id: clob2
env:
BODY: ${{ github.event.comment.body }}
run: |
# VULNERABLE
echo "::set-output name=OUTPUT::SAFE"
echo $BODY
- id: clob3
run: |
echo ${{ steps.clob1.outputs.OUTPUT }}
test2:
runs-on: ubuntu-latest
steps:
- id: clob1
env:
BODY: ${{ github.event.comment.body }}
run: |
# NOT VULNERABLE
echo "::set-output name=OUTPUT::SAFE"
test3:
runs-on: ubuntu-latest
steps:
- name: Download artifact
uses: dawidd6/action-download-artifact@v6
with:
run_id: ${{ github.event.workflow_run.id }}
name: pr_number
- id: clob1
run: |
# VULNERABLE
PR="$(<pr-number)"
echo "$PR"
echo "::set-output name=OUTPUT::SAFE"
- id: clob2
run: |
# VULNERABLE
cat pr-number
echo "::set-output name=OUTPUT::SAFE"
- id: clob3
run: |
# VULNERABLE
echo "::set-output name=OUTPUT::SAFE"
ls *.txt
- id: clob4
run: |
# VULNERABLE
CURRENT_VERSION=$(cat gradle.properties | sed -n '/^version=/ { s/^version=//;p }')
echo "$CURRENT_VERSION"
echo "::set-output name=OUTPUT::SAFE"

33
actions/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.expected Normal file
View File

@@ -0,0 +1,33 @@
edges
| .github/workflows/output1.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | provenance | Config |
| .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n | provenance | Config |
| .github/workflows/output2.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | provenance | Config |
| .github/workflows/output2.yml:16:18:16:49 | github.event.comment.body | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | provenance | Config |
| .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n | provenance | Config |
| .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:48:14:51:48 | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n | provenance | Config |
| .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | provenance | Config |
| .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | provenance | Config |
nodes
| .github/workflows/output1.yml:9:18:9:49 | github.event.comment.body | semmle.label | github.event.comment.body |
| .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | semmle.label | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n |
| .github/workflows/output1.yml:30:9:35:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n | semmle.label | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n |
| .github/workflows/output2.yml:9:18:9:49 | github.event.comment.body | semmle.label | github.event.comment.body |
| .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | semmle.label | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n |
| .github/workflows/output2.yml:16:18:16:49 | github.event.comment.body | semmle.label | github.event.comment.body |
| .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | semmle.label | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n |
| .github/workflows/output2.yml:36:9:41:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n | semmle.label | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n |
| .github/workflows/output2.yml:48:14:51:48 | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n | semmle.label | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n |
| .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | semmle.label | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n |
| .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | semmle.label | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n |
subpaths
#select
| .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n |
| .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n |
| .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n |
| .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | .github/workflows/output2.yml:16:18:16:49 | github.event.comment.body | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n |
| .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n |
| .github/workflows/output2.yml:48:14:51:48 | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:48:14:51:48 | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:48:14:51:48 | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n |
| .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n |
| .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n |

1
actions/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE-074/OutputClobberingHigh.ql

32
actions/ql/test/query-tests/Security/CWE-077/.github/actions/download-artifact-2/action.yaml vendored Normal file
View File

@@ -0,0 +1,32 @@
name: DownloadArtifacts
description: 'Downloads and unarchives artifacts for a workflow that runs on workflow_run so that it can use its data'
runs:
using: "composite"
steps:
- uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
owner: context.repo.owner,
repo: context.repo.repo,
run_id: context.payload.workflow_run.id,
});
let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => {
return artifact.name == "artifacts"
})[0];
let download = await github.rest.actions.downloadArtifact({
owner: context.repo.owner,
repo: context.repo.repo,
artifact_id: matchArtifact.id,
archive_format: 'zip',
});
let fs = require('fs');
fs.writeFileSync(`/tmp/artifacts.zip`, Buffer.from(download.data));
- run: |
mkdir -p /tmp/artifacts
unzip /tmp/artifacts.zip
shell: bash
- run: |
echo "Downloaded artifacts:"
ls -ablh
shell: bash

32
actions/ql/test/query-tests/Security/CWE-077/.github/actions/download-artifact/action.yaml vendored Normal file
View File

@@ -0,0 +1,32 @@
name: DownloadArtifacts
description: 'Downloads and unarchives artifacts for a workflow that runs on workflow_run so that it can use its data'
runs:
using: "composite"
steps:
- uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
owner: context.repo.owner,
repo: context.repo.repo,
run_id: context.payload.workflow_run.id,
});
let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => {
return artifact.name == "artifacts"
})[0];
let download = await github.rest.actions.downloadArtifact({
owner: context.repo.owner,
repo: context.repo.repo,
artifact_id: matchArtifact.id,
archive_format: 'zip',
});
let fs = require('fs');
fs.writeFileSync(`/tmp/artifacts.zip`, Buffer.from(download.data));
- run: |
mkdir -p /tmp/artifacts
unzip /tmp/artifacts.zip -d /tmp/artifacts
shell: bash
- run: |
echo "Downloaded artifacts:"
ls -ablh /tmp/artifacts
shell: bash

20
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning51.yml vendored Normal file
View File

@@ -0,0 +1,20 @@
name: Pull Request Open
on:
workflow_run:
workflows: ["Prev"]
types:
- completed
jobs:
Download:
runs-on: ubuntu-latest
steps:
- run: |
gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name"
- name: Unzip
run: |
unzip artifact_name.zip -d foo
- name: Env Var Injection
run: |
echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV

26
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning52.yml vendored Normal file
View File

@@ -0,0 +1,26 @@
name: Pull Request Open
on:
workflow_run:
workflows: ["Prev"]
types:
- completed
jobs:
Download:
runs-on: ubuntu-latest
steps:
- run: |
gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name"
- name: Unzip
run: |
unzip artifact_name.zip -d foo
- name: Env Var Injection
run: |
echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"
cat foo >> "$GITHUB_ENV"
echo "EOF" >> "${GITHUB_ENV}"

27
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning53.yml vendored Normal file
View File

@@ -0,0 +1,27 @@
name: Pull Request Open
on:
workflow_run:
workflows: ["Prev"]
types:
- completed
jobs:
Download:
runs-on: ubuntu-latest
steps:
- run: |
gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name"
- name: Unzip
run: |
unzip artifact_name.zip -d foo
- run: |
{
echo 'JSON_RESPONSE<<EOF'
cat foo
echo EOF
} >> "$GITHUB_ENV"

29
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning91.yml vendored Normal file
View File

@@ -0,0 +1,29 @@
name: SnapshotPR
on:
workflow_run:
workflows:
- ApprovalComment
types:
- completed
jobs:
snapshot:
permissions:
id-token: write
pull-requests: write
statuses: write
if: github.event.workflow_run.conclusion == 'success'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
- uses: ./.github/actions/download-artifact
- id: metadata
run: |
pr_number="$(head -n 2 /tmp/artifacts/metadata.txt | tail -n 1)"
pr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"
echo PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"
echo PR_NUMBER="$pr_number" >> "$GITHUB_ENV"
- uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
with:
ref: ${{ env.PR_COMMIT }}
- uses: ./.github/actions/install-deps
- run: make snapshot

29
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning92.yml vendored Normal file
View File

@@ -0,0 +1,29 @@
name: SnapshotPR
on:
workflow_run:
workflows:
- ApprovalComment
types:
- completed
jobs:
snapshot:
permissions:
id-token: write
pull-requests: write
statuses: write
if: github.event.workflow_run.conclusion == 'success'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
- uses: ./.github/actions/download-artifact-2
- id: metadata
run: |
pr_number="$(head -n 2 /tmp/artifacts/metadata.txt | tail -n 1)"
pr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"
echo PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"
echo PR_NUMBER="$pr_number" >> "$GITHUB_ENV"
- uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
with:
ref: ${{ env.PR_COMMIT }}
- uses: ./.github/actions/install-deps
- run: make snapshot

33
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/path1.yml vendored Normal file
View File

@@ -0,0 +1,33 @@
name: Pull Request Open
on:
pull_request_target:
jobs:
test:
runs-on: ubuntu-latest
steps:
- run: echo "${{ github.event.pull_request.title }}" >> $GITHUB_PATH
- env:
PATHINJ: ${{ github.event.pull_request.title }}
run: echo $(echo "$PATHINJ") >> $GITHUB_PATH
- env:
PATHINJ: ${{ github.event.pull_request.title }}
run: echo $PATHINJ >> $GITHUB_PATH
- env:
PATHINJ: ${{ github.event.pull_request.title }}
run: echo ${PATHINJ} >> $GITHUB_PATH
- uses: dawidd6/action-download-artifact@v2
with:
name: artifact_name
path: foo
- run: echo "$(cat foo/bar)" >> $GITHUB_PATH
- env:
ACTIONS_ALLOW_UNSECURE_COMMANDS: true
PATHINJ: ${{ github.event.pull_request.title }}
run: echo "::add-path::$PATHINJ"

15
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test1.yml vendored Normal file
View File

@@ -0,0 +1,15 @@
name: Test
on:
pull_request_target:
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Code Injection, do not report as ENV VAR INJ
run: echo ISSUE_KEY=$(echo "${{ github.event.pull_request.title }}") >> $GITHUB_ENV
- name: Code Injection, do not report as ENV VAR INJ
run: echo ISSUE_KEY=$(echo "${{ github.event.pull_request.head.ref }}") >> $GITHUB_ENV

28
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test10.yml vendored Normal file
View File

@@ -0,0 +1,28 @@
name: Build and Dockerize
on:
pull_request_target:
jobs:
build:
name: Test
runs-on: ubuntu-latest
steps:
- name: Decide Which 'ref' To Checkout
id: decide-ref
run: |
if [[ "${{github.event_name}}" == "pull_request_target" ]]; then
echo "ref=refs/pull/${{ github.event.pull_request.number }}/merge" >> $GITHUB_OUTPUT
else
echo "ref=${{github.ref}}" >> $GITHUB_OUTPUT
fi
- name: Checkout
uses: actions/checkout@v4
with:
ref: ${{steps.decide-ref.outputs.ref}}
path: "foo"
- name: Read Java Config
run: cat foo/.github/java-config.env >> $GITHUB_ENV

28
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test11.yml vendored Normal file
View File

@@ -0,0 +1,28 @@
name: Write prerelease comment
on:
workflow_run:
workflows: ["Create Pull Request Prerelease"]
types:
- completed
jobs:
comment:
if: ${{ github.repository_owner == 'foo' }}
runs-on: ubuntu-latest
name: Write comment to the PR
steps:
- name: "Download runtime versions"
uses: dawidd6/action-download-artifact@v2
with:
run_id: ${{ github.event.workflow_run.id }}
name: runtime-versions.md
- name: "Put runtime versions on the environment"
id: runtime_versions
run: |
{
echo 'RUNTIME_VERSIONS<<EOF'
cat runtime-versions.md
echo EOF
} >> "$GITHUB_ENV"

80
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test12.yml vendored Normal file
View File

@@ -0,0 +1,80 @@
name: Write prerelease comment
on:
workflow_run:
workflows: ["Create Pull Request Prerelease"]
types:
- completed
jobs:
comment:
runs-on: ubuntu-latest
name: Write comment to the PR
steps:
- name: "Put PR and workflow ID on the environment"
uses: actions/github-script@v7
with:
script: |
// Copied from .github/extract-pr-and-workflow-id.js
const allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
owner: context.repo.owner,
repo: context.repo.repo,
run_id: context.payload.workflow_run.id,
});
for (const artifact of allArtifacts.data.artifacts) {
// Extract the PR number from the artifact name
const match = /^npm-package-(.+)-(\d+)$/.exec(artifact.name);
if (match) {
const packageName = match[1].toUpperCase();
require("fs").appendFileSync(
process.env.GITHUB_ENV,
`\nWORKFLOW_RUN_PR_FOR_${packageName}=${match[2]}` +
`\nWORKFLOW_RUN_ID_FOR_${packageName}=${context.payload.workflow_run.id}`
);
}
}
- name: "Download runtime versions"
# Regular `actions/download-artifact` doesn't support downloading
# artifacts from another workflow
uses: dawidd6/action-download-artifact@v2
with:
run_id: ${{ github.event.workflow_run.id }}
name: runtime-versions.md
- name: "Put runtime versions on the environment"
id: runtime_versions
run: |
{
echo 'RUNTIME_VERSIONS<<EOF'
cat runtime-versions.md
echo EOF
} >> "$GITHUB_ENV"
- name: "Download pre-release report"
uses: dawidd6/action-download-artifact@v2
with:
run_id: ${{ github.event.workflow_run.id }}
name: prerelease-report.md
- name: "Put pre-release report on the environment"
id: prerelease_report
run: |
{
echo 'PRERELEASE_REPORT<<EOF'
cat prerelease-report.md
echo EOF
} >> "$GITHUB_ENV"
- name: "Comment on PR with Wrangler link"
uses: marocchino/sticky-pull-request-comment@v2
with:
number: ${{ env.WORKFLOW_RUN_PR_FOR_WRANGLER }}
message: |
${{ env.PRERELEASE_REPORT }}
---
${{ env.RUNTIME_VERSIONS }}

23
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test13.yml vendored Normal file
View File

@@ -0,0 +1,23 @@
name: publish
on:
pull_request_target:
branches:
- main
jobs:
need-publish:
permissions:
actions: write
name: Need Publish
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.ref }}
- name: Get commit message
run: |
COMMIT_MESSAGE=$(git log --format=%s)
echo "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV
- name: Get commit message
run: |
echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV

30
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test14.yml vendored Normal file
View File

@@ -0,0 +1,30 @@
name: Pull Request Open
on:
pull_request_target:
jobs:
test1:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
ref: ${{ github.event.pull_request.head.sha }}
- id: changed-files
run: |
echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"
- run: echo "${{ env.CHANGED-FILES }}"
test2:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
ref: ${{ github.event.pull_request.head.sha }}
- id: changed-files
run: |
FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)
echo "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"
- run: echo "${{ env.CHANGED-FILES }}"

29
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test15.yml vendored Normal file
View File

@@ -0,0 +1,29 @@
name: Pull Request Open
on:
pull_request_target:
jobs:
test1:
runs-on: ubuntu-latest
steps:
- id: title
run: |
echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"
- run: echo "$TITLE"
test2:
runs-on: ubuntu-latest
steps:
- id: title
run: |
PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})
echo "BODY=$PR_BODY" >> "$GITHUB_ENV"
- run: echo "$TITLE"
test3:
runs-on: ubuntu-latest
steps:
- run: |
echo "branch_name=$(jq --raw-output .pull_request.head.ref $GITHUB_EVENT_PATH)" >> $GITHUB_ENV

35
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test16.yml vendored Normal file
View File

@@ -0,0 +1,35 @@
name: Pull Request Open
on:
workflow_run:
jobs:
test1:
runs-on: ubuntu-latest
steps:
- name: Download PR metadata
uses: dawidd6/action-download-artifact@e6e25ac3a2b93187502a8be1ef9e9603afc34925 # v2.24.2
with:
workflow: ${{ github.event.workflow_run.workflow_id }}
name: pr_metadata
- run: |
# VULNERABLE
echo "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV
- run: |
# VULNERABLE
echo "PR_NUMBER=$(cat pr_number.txt | tr ',' '\n')" >> $GITHUB_ENV
- run: |
# NOT VULNERABLE
echo "PR_NUMBER=$(cat pr_number.txt | tr '\n' ' ')" >> $GITHUB_ENV
- run: |
# NOT VULNERABLE
echo "PR_NUMBER=$(cat pr_number.txt | tr -d '\n')" >> $GITHUB_ENV
- run: |
# NOT VULNERABLE
echo "PR_NUMBER=$(cat pr_number.txt | tr -cd '[:alpha:]_')" >> $GITHUB_ENV
- run: |
# NOT VULNERABLE
echo "PR_NUMBER=$(cat pr_number.txt | tail -n 1)" >> $GITHUB_ENV
- run: |
# NOT VULNERABLE
echo "PR_NUMBER=$(cat pr_number.txt | head -n 1)" >> $GITHUB_ENV

36
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test17.yml vendored Normal file
View File

@@ -0,0 +1,36 @@
on:
push:
branches: [main]
workflow_dispatch:
inputs:
pypi:
type: boolean
description: Publish
jobs:
publish:
runs-on: ubuntu-latest
permissions:
id-token: write
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
token: ${{ secrets._GITHUB_TOKEN }}
- name: Extract PR Details
env:
GH_TOKEN: ${{ secrets._GITHUB_TOKEN }}
run: |
# Check if the event is a pull request or pull_request_target
if [ "${{ github.event_name }}" = "pull_request" ] || [ "${{ github.event_name }}" = "pull_request_target" ]; then
PR_NUMBER=${{ github.event.pull_request.number }}
PR_TITLE=$(gh pr view $PR_NUMBER --json title --jq '.title')
else
# Use gh to find the PR associated with the commit
COMMIT_SHA=${{ github.event.after }}
PR_JSON=$(gh pr list --search "${COMMIT_SHA}" --state merged --json number,title --jq '.[0]')
PR_NUMBER=$(echo $PR_JSON | jq -r '.number')
PR_TITLE=$(echo $PR_JSON | jq -r '.title')
fi
echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_ENV
echo "PR_TITLE=$PR_TITLE" >> $GITHUB_ENV

32
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test18.yml vendored Normal file
View File

@@ -0,0 +1,32 @@
on:
schedule:
- cron: '0 0 * * *'
pull_request:
types: [ opened, synchronize, reopened ]
branches: ["master", "*-rc"]
workflow_dispatch:
jobs:
tests:
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
- name: Set Branch Variables
id: set-branch-variables
env:
github_event_pull_request_head_repo_owner_login: ${{ github.event.pull_request.head.repo.owner.login }}
github_repository_owner: ${{ github.repository_owner }}
run: |
# Set the Repo Owner
REPO_OWNER="${github_event_pull_request_head_repo_owner_login:-$github_repository_owner}"
echo "REPO_OWNER=$REPO_OWNER" >> $GITHUB_ENV
- name: Sanitize Github Variables
id: sanitize-github-variables
env:
GITHUB_EVENT_PULL_REQUEST_TITLE: ${{ github.event.pull_request.title }}
run: |
# Delete non-alphanumeric characters and limit to 75 chars which is the branch title limit in GitHub
SAFE_PULL_REQUEST_TITLE=$(echo "${GITHUB_EVENT_PULL_REQUEST_TITLE}" | tr -cd '[:alnum:]_ -' | cut -c1-75)
echo "SAFE_PULL_REQUEST_TITLE=$SAFE_PULL_REQUEST_TITLE" >> $GITHUB_ENV

40
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test19.yml vendored Normal file
View File

@@ -0,0 +1,40 @@
on:
pull_request:
workflow_dispatch:
jobs:
build:
if: ${{ github.repository_owner == 'test' }}
runs-on: ubuntu-latest
steps:
- name: Get the appropriate Endo branch
id: branch
uses: actions/github-script@v7
with:
result-encoding: string
script: |-
let branch = 'NOPE';
if (context.payload.pull_request) {
const { body } = context.payload.pull_request;
const regex = /^\#endo-branch:\s+(\S+)/m;
const result = regex.exec(body);
if (result) {
branch = result[1];
}
}
return branch;
- name: check out
id: checkout
if: steps.branch.outputs.result != 'NOPE'
uses: actions/checkout@v4
with:
repository: test/test
path: ./tmp
ref: ${{ steps.branch.outputs.result }}
clean: 'false'
submodules: 'true'
persist-credentials: false
- name: Find Netlify site ID
run: |
echo "NETLIFY_SITE_ID=$(cat COVERAGE_NETLIFY_SITE_ID)" >> $GITHUB_ENV

43
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test2.yml vendored Normal file
View File

@@ -0,0 +1,43 @@
name: Test
on:
workflow_run:
workflows: ["Generate Preview"]
types:
- completed
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: 'Download artifact'
uses: actions/github-script@v3.1.0
with:
script: |
var artifacts = await github.actions.listWorkflowRunArtifacts({
owner: context.repo.owner,
repo: context.repo.repo,
run_id: ${{ github.event.workflow_run.id }},
});
var matchPrArtifact = artifacts.data.artifacts.filter((artifact) => {
return artifact.name == "pr"
})[0];
var matchPreviewArtifact = artifacts.data.artifacts.filter((artifact) => {
return artifact.name == "preview"
})[0];
var downloadPr = await github.actions.downloadArtifact({
owner: context.repo.owner,
repo: context.repo.repo,
artifact_id: matchPrArtifact.id,
archive_format: 'zip',
});
var downloadPreview = await github.actions.downloadArtifact({
owner: context.repo.owner,
repo: context.repo.repo,
artifact_id: matchPreviewArtifact.id,
archive_format: 'zip',
});
var fs = require('fs');
fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(downloadPr.data));
- run: |
unzip pr.zip
echo "pr_number=$(cat NR)" >> $GITHUB_ENV

23
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test3.yml vendored Normal file
View File

@@ -0,0 +1,23 @@
name: Test
on:
workflow_run:
workflows: ['checks']
types:
- completed
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Download PR metadata
uses: dawidd6/action-download-artifact@e6e25ac3a2b93187502a8be1ef9e9603afc34925 # v2.24.2
with:
workflow: ${{ github.event.workflow_run.workflow_id }}
workflow_conclusion: ''
name: pr_metadata
if_no_artifact_found: 'ignore'
- run: |
echo "PR_NUMBER=$(cat pr_number.txt | jq -r .)" >> $GITHUB_ENV
echo "PR_HEAD_REPO=$(cat pr_head_repo.txt | jq -Rr .)" >> $GITHUB_ENV
echo "PR_HEAD_REF=$(cat pr_head_ref.txt | jq -Rr .)" >> $GITHUB_ENV

71
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml vendored Normal file
View File

@@ -0,0 +1,71 @@
name: Test
on:
pull_request_target:
jobs:
test:
runs-on: ubuntu-latest
steps:
- env:
TITLE: ${{ github.event.pull_request.title }}
run: |
echo "PR_TITLE=$TITLE" >> $GITHUB_ENV
- env:
TITLE: ${{ github.event.pull_request.title }}
run: |
echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV
- env:
TITLE: ${{ github.event.pull_request.title }}
run: |
echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV
- env:
TITLE: ${{ github.event.pull_request.title }}
run: |
echo "PR_TITLE<<EOF" >> $GITHUB_ENV
echo "$TITLE" >> $GITHUB_ENV
echo "EOF" >> $GITHUB_ENV
- env:
TITLE: ${{ github.event.pull_request.title }}
run: |
echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"
echo "$TITLE" >> "${GITHUB_ENV}"
echo "EOF" >> "${GITHUB_ENV}"
- env:
TITLE: ${{ github.event.pull_request.title }}
run: |
{
echo 'JSON_RESPONSE<<EOF'
echo "$TITLE"
echo EOF
} >> "$GITHUB_ENV"
- env:
TITLE: ${{ github.event.pull_request.title }}
run: |
cat <<-EOF >> "$GITHUB_ENV"
FOO=$TITLE
EOF
- env:
TITLE: ${{ github.event.pull_request.head.ref }}
run: |
echo "PR_TITLE=$TITLE" >> $GITHUB_ENV
- run: echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV
env:
TARGET_BRANCH: ${{ github.head_ref }}
- run: echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV
env:
TARGET_BRANCH: ${{ github.event.pull_request.title }}
- run: echo ISSUE_KEY=$(echo "${TITLE}" | grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV
env:
TITLE: ${{ github.event.pull_request.title }}
- env:
TITLE: |-
${{ github.event.pull_request.title }}
run: |
cat > issue.txt << EOL
${TITLE}
EOL
echo REPO_NAME=$(cat issue.txt | sed 's/\r/\n/g' | grep -ioE '\s*[a-z0-9_-]+/[a-z0-9_-]+\s*$' | tr -d ' ') >> $GITHUB_ENV

36
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test5.yml vendored Normal file
View File

@@ -0,0 +1,36 @@
name: Test
on:
workflow_run:
workflows: ["Build/Test"]
types: [completed]
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: 'Download code coverage'
uses: actions/github-script@v7
with:
script: |
let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
owner: context.repo.owner,
repo: context.repo.repo,
run_id: context.payload.workflow_run.id,
});
let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => {
return artifact.name == "oc-code-coverage"
})[0];
let download = await github.rest.actions.downloadArtifact({
owner: context.repo.owner,
repo: context.repo.repo,
artifact_id: matchArtifact.id,
archive_format: 'zip',
});
let fs = require('fs');
fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/oc-code-coverage.zip`, Buffer.from(download.data));
- name: 'Unzip code coverage'
run: unzip oc-code-coverage.zip -d coverage
- name: set env vars
run: |
echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV
echo "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV
echo "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV

28
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test6.yml vendored Normal file
View File

@@ -0,0 +1,28 @@
name: Test
on:
pull_request_target:
jobs:
test:
runs-on: ubuntu-latest
steps:
- env:
TITLE: ${{ github.event.pull_request.title }}
run: |
FOO=${TITLE##*/}
echo PR_TITLE=${FOO} >> $GITHUB_ENV
- env:
TITLE: ${{ github.event.pull_request.title }}
run: |
FOO=$TITLE+
echo PR_TITLE=$FOO >> $GITHUB_ENV
- env:
TITLE: ${{ github.event.pull_request.title }}
run: |
venv="$(echo $TITLE)')"
echo "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV

25
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test7.yml vendored Normal file
View File

@@ -0,0 +1,25 @@
# Second Workflow
# It consumes an artifact produced by the First Workflow
on: workflow_run
jobs:
my-second-job:
runs-on: ubuntu-latest
steps:
- name: download pr artifact
uses: dawidd6/action-download-artifact@v2
with:
workflow: ${{github.event.workflow_run.workflow_id}}
run_id: ${{github.event.workflow_run.id}}
name: artifact
- name: Load .env file
uses: aarcangeli/load-dotenv@v1.0.0
with:
path: 'backend/new'
filenames: |
.env
.env.test
quiet: false
if-file-not-found: error

39
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test8.yml vendored Normal file
View File

@@ -0,0 +1,39 @@
name: Tests
on:
workflow_run:
workflows: ["tests"]
types:
- completed
permissions: { contents: read }
jobs:
unit-test-results:
name: Test
runs-on: ubuntu-latest
permissions:
actions: write
statuses: write
checks: write
pull-requests: write
contents: write
steps:
- uses: actions/checkout@v4
- name: Download and Extract Artifacts
uses: dawidd6/action-download-artifact@v6
with:
run_id: ${{ github.event.workflow_run.id }}
path: ./artifacts
- name: assignment
run: |
foo=$(cat ./artifacts/parent-artifacts/event.txt)
echo "foo=$foo" >> $GITHUB_ENV
- name: direct 1
run: |
echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV
- name: direct 2
run: |
echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV

41
actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test9.yml vendored Normal file
View File

@@ -0,0 +1,41 @@
name: tests
on:
workflow_run:
workflows: ["Tests"]
types:
- completed
permissions: { contents: read }
jobs:
get-artifacts:
name: Get required artifacts
runs-on: ubuntu-latest
permissions:
actions: read
statuses: write
steps:
- name: Download and extract event file
uses: actions/download-artifact@v4
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
run-id: ${{ github.event.workflow_run.id }}
name: event_file
path: artifacts/event_file
- name: Try to read PR number
id: set-ref
run: |
pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)
if [ -z "$pr_num" ] || [ "$pr_num" == "null" ]; then
pr_num=""
fi
ref=$pr_num
if [ -z "$ref" ] || [ "$ref" == "null" ]; then
ref=${{ github.ref }}
fi
echo "pr_num=$pr_num" >> $GITHUB_ENV
echo "ref=$ref" >> $GITHUB_ENV

24
actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected Normal file
View File

@@ -0,0 +1,24 @@
edges
| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | provenance | Config |
| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | provenance | Config |
| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | provenance | Config |
| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | provenance | Config |
| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | provenance | Config |
nodes
| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | semmle.label | echo $(echo "$PATHINJ") >> $GITHUB_PATH |
| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | semmle.label | echo $PATHINJ >> $GITHUB_PATH |
| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | semmle.label | echo ${PATHINJ} >> $GITHUB_PATH |
| .github/workflows/path1.yml:21:9:25:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | semmle.label | echo "$(cat foo/bar)" >> $GITHUB_PATH |
| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | semmle.label | echo "::add-path::$PATHINJ" |
subpaths
#select
| .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |

1
actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE-077/EnvPathInjectionCritical.ql

19
actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected Normal file
View File

@@ -0,0 +1,19 @@
edges
| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | provenance | Config |
| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | provenance | Config |
| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | provenance | Config |
| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | provenance | Config |
| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | provenance | Config |
nodes
| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | semmle.label | echo $(echo "$PATHINJ") >> $GITHUB_PATH |
| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | semmle.label | echo $PATHINJ >> $GITHUB_PATH |
| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | semmle.label | echo ${PATHINJ} >> $GITHUB_PATH |
| .github/workflows/path1.yml:21:9:25:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | semmle.label | echo "$(cat foo/bar)" >> $GITHUB_PATH |
| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | semmle.label | echo "::add-path::$PATHINJ" |
subpaths
#select

1
actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE-077/EnvPathInjectionMedium.ql

131
actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected Normal file
View File

@@ -0,0 +1,131 @@
edges
| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config |
| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<<EOF'\n cat foo\n echo EOF\n} >> "$GITHUB_ENV"\n | provenance | Config |
| .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config |
| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<<EOF'\n echo "$TITLE"\n echo EOF\n} >> "$GITHUB_ENV"\n | provenance | Config |
| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | provenance | Config |
| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | provenance | Config |
| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | provenance | Config |
| .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | provenance | Config |
| .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | provenance | Config |
| .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | provenance | Config |
| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | provenance | Config |
| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | provenance | Config |
| .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | provenance | Config |
| .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | provenance | Config |
nodes
| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | semmle.label | Run Step |
| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | semmle.label | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n |
| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | semmle.label | Run Step |
| .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n |
| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | semmle.label | Run Step |
| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<<EOF'\n cat foo\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<<EOF'\n cat foo\n echo EOF\n} >> "$GITHUB_ENV"\n |
| .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n |
| .github/workflows/test3.yml:13:7:20:4 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | semmle.label | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n |
| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | semmle.label | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n |
| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | semmle.label | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n |
| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | semmle.label | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n |
| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | semmle.label | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n |
| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n |
| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<<EOF'\n echo "$TITLE"\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<<EOF'\n echo "$TITLE"\n echo EOF\n} >> "$GITHUB_ENV"\n |
| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | semmle.label | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n |
| .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | semmle.label | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV |
| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | semmle.label | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV |
| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test5.yml:10:9:30:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | semmle.label | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n |
| .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | semmle.label | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n |
| .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | semmle.label | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n |
| .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | semmle.label | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n |
| .github/workflows/test7.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test7.yml:16:9:24:35 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test8.yml:24:9:30:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | semmle.label | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n |
| .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | semmle.label | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n |
| .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | semmle.label | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n |
| .github/workflows/test9.yml:19:9:27:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | semmle.label | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n |
| .github/workflows/test10.yml:20:9:26:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | semmle.label | cat foo/.github/java-config.env >> $GITHUB_ENV |
| .github/workflows/test11.yml:15:9:21:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n |
| .github/workflows/test12.yml:38:9:46:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n |
| .github/workflows/test12.yml:55:9:61:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n |
| .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | semmle.label | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n |
| .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | semmle.label | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n |
| .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | semmle.label | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n |
| .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | semmle.label | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n |
| .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | semmle.label | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n |
| .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | semmle.label | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n |
| .github/workflows/test16.yml:10:9:15:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n |
| .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n |
subpaths
#select
| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:4:3:4:14 | workflow_run | workflow_run |
| .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:4:3:4:14 | workflow_run | workflow_run |
| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<<EOF'\n cat foo\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<<EOF'\n cat foo\n echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<<EOF'\n cat foo\n echo EOF\n} >> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<<EOF'\n cat foo\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:4:3:4:14 | workflow_run | workflow_run |
| .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:3:3:3:14 | workflow_run | workflow_run |
| .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:3:3:3:14 | workflow_run | workflow_run |
| .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<<EOF'\n echo "$TITLE"\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<<EOF'\n echo "$TITLE"\n echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<<EOF'\n echo "$TITLE"\n echo EOF\n} >> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<<EOF'\n echo "$TITLE"\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:3:3:3:14 | workflow_run | workflow_run |
| .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/test7.yml:16:9:24:35 | Uses Step | .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Uses Step | .github/workflows/test7.yml:4:5:4:16 | workflow_run | workflow_run |
| .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run |
| .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run |
| .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run |
| .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:4:3:4:14 | workflow_run | workflow_run |
| .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test11.yml:4:3:4:14 | workflow_run | workflow_run |
| .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run |
| .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run |
| .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run |
| .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:3:3:3:21 | pull_request_target | pull_request_target |
| .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:3:3:3:21 | pull_request_target | pull_request_target |
| .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | .github/workflows/test16.yml:4:3:4:14 | workflow_run | workflow_run |
| .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | .github/workflows/test16.yml:4:3:4:14 | workflow_run | workflow_run |

1
actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE-077/EnvVarInjectionCritical.ql

95
actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected Normal file
View File

@@ -0,0 +1,95 @@
edges
| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config |
| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<<EOF'\n cat foo\n echo EOF\n} >> "$GITHUB_ENV"\n | provenance | Config |
| .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config |
| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<<EOF'\n echo "$TITLE"\n echo EOF\n} >> "$GITHUB_ENV"\n | provenance | Config |
| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | provenance | Config |
| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | provenance | Config |
| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | provenance | Config |
| .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | provenance | Config |
| .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | provenance | Config |
| .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | provenance | Config |
| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | provenance | Config |
| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | provenance | Config |
| .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | provenance | Config |
| .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | provenance | Config |
| .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | provenance | Config |
nodes
| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | semmle.label | Run Step |
| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | semmle.label | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n |
| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | semmle.label | Run Step |
| .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n |
| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | semmle.label | Run Step |
| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<<EOF'\n cat foo\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<<EOF'\n cat foo\n echo EOF\n} >> "$GITHUB_ENV"\n |
| .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n |
| .github/workflows/test3.yml:13:7:20:4 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | semmle.label | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n |
| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | semmle.label | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n |
| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | semmle.label | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n |
| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | semmle.label | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n |
| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | semmle.label | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n |
| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n |
| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<<EOF'\n echo "$TITLE"\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<<EOF'\n echo "$TITLE"\n echo EOF\n} >> "$GITHUB_ENV"\n |
| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | semmle.label | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n |
| .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | semmle.label | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV |
| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | semmle.label | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV |
| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test5.yml:10:9:30:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | semmle.label | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n |
| .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | semmle.label | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n |
| .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | semmle.label | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n |
| .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | semmle.label | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n |
| .github/workflows/test7.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test7.yml:16:9:24:35 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test8.yml:24:9:30:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | semmle.label | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n |
| .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | semmle.label | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n |
| .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | semmle.label | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n |
| .github/workflows/test9.yml:19:9:27:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | semmle.label | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n |
| .github/workflows/test10.yml:20:9:26:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | semmle.label | cat foo/.github/java-config.env >> $GITHUB_ENV |
| .github/workflows/test11.yml:15:9:21:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n |
| .github/workflows/test12.yml:38:9:46:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n |
| .github/workflows/test12.yml:55:9:61:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n |
| .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | semmle.label | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n |
| .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | semmle.label | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n |
| .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | semmle.label | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n |
| .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | semmle.label | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n |
| .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | semmle.label | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n |
| .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | semmle.label | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n |
| .github/workflows/test16.yml:10:9:15:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n |
| .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n |
subpaths
#select

1
actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE-077/EnvVarInjectionMedium.ql

196
actions/ql/test/query-tests/Security/CWE-078/.github/actions/run-airbyte-ci/action.yaml vendored Normal file
View File

@@ -0,0 +1,196 @@
name: "Run Dagger pipeline"
description: "Runs a given dagger pipeline"
inputs:
subcommand:
description: "Subcommand for airbyte-ci"
required: true
context:
description: "CI context (e.g., pull_request, manual)"
required: true
github_token:
description: "GitHub token"
required: false
dagger_cloud_token:
description: "Dagger Cloud token"
required: false
docker_hub_username:
description: "Dockerhub username"
required: false
docker_hub_password:
description: "Dockerhub password"
required: false
options:
description: "Options for the subcommand"
required: false
production:
description: "Whether to run in production mode"
required: false
default: "True"
report_bucket_name:
description: "Bucket name for CI reports"
required: false
default: "airbyte-ci-reports-multi"
gcp_gsm_credentials:
description: "GCP credentials for GCP Secret Manager"
required: false
default: ""
gcp_integration_tester_credentials:
description: "GCP credentials for integration tests"
required: false
default: ""
git_repo_url:
description: "Git repository URL"
default: https://github.com/airbytehq/airbyte.git
required: false
git_branch:
description: "Git branch to checkout"
required: false
git_revision:
description: "Git revision to checkout"
required: false
slack_webhook_url:
description: "Slack webhook URL"
required: false
metadata_service_gcs_credentials:
description: "GCP credentials for metadata service"
required: false
metadata_service_bucket_name:
description: "Bucket name for metadata service"
required: false
default: "prod-airbyte-cloud-connector-metadata-service"
sentry_dsn:
description: "Sentry DSN"
required: false
spec_cache_bucket_name:
description: "Bucket name for GCS spec cache"
required: false
default: "io-airbyte-cloud-spec-cache"
spec_cache_gcs_credentials:
description: "GCP credentials for GCS spec cache"
required: false
gcs_credentials:
description: "GCP credentials for GCS"
required: false
ci_job_key:
description: "CI job key"
required: false
s3_build_cache_access_key_id:
description: "Gradle S3 Build Cache AWS access key ID"
required: false
s3_build_cache_secret_key:
description: "Gradle S3 Build Cache AWS secret key"
required: false
airbyte_ci_binary_url:
description: "URL to airbyte-ci binary"
required: false
default: https://connectors.airbyte.com/airbyte-ci/releases/ubuntu/latest/airbyte-ci
python_registry_token:
description: "Python registry API token to publish python package"
required: false
is_fork:
description: "Whether the PR is from a fork"
required: false
default: "false"
max_attempts:
description: "Number of attempts at running the airbyte-ci command"
required: false
default: 1
retry_wait_seconds:
description: "Number of seconds to wait between retry attempts"
required: false
default: 60
runs:
using: "composite"
steps:
- name: Get start timestamp
id: get-start-timestamp
shell: bash
run: echo "start-timestamp=$(date +%s)" >> $GITHUB_OUTPUT
- name: Docker login
id: docker-login
uses: docker/login-action@v3
if: ${{ inputs.docker_hub_username != '' && inputs.docker_hub_password != '' }}
with:
username: ${{ inputs.docker_hub_username }}
password: ${{ inputs.docker_hub_password }}
- name: Install Airbyte CI
id: install-airbyte-ci
uses: ./.github/actions/install-airbyte-ci
with:
airbyte_ci_binary_url: ${{ inputs.airbyte_ci_binary_url }}
is_fork: ${{ inputs.is_fork }}
- name: Run airbyte-ci
id: run-airbyte-ci
uses: nick-fields/retry@v3
env:
CI: "True"
CI_GIT_USER: ${{ github.repository_owner }}
CI_PIPELINE_START_TIMESTAMP: ${{ steps.get-start-timestamp.outputs.start-timestamp }}
PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }}
# Next environment variables are workflow inputs based and can be set with empty values if the inputs are not required and passed
CI_CONTEXT: "${{ inputs.context }}"
CI_GIT_BRANCH: ${{ inputs.git_branch || github.head_ref }}
CI_GIT_REPO_URL: ${{ inputs.git_repo_url }}
CI_GIT_REVISION: ${{ inputs.git_revision || github.sha }}
CI_GITHUB_ACCESS_TOKEN: ${{ inputs.github_token }}
CI_JOB_KEY: ${{ inputs.ci_job_key }}
CI_REPORT_BUCKET_NAME: ${{ inputs.report_bucket_name }}
DAGGER_CLOUD_TOKEN: "${{ inputs.dagger_cloud_token }}"
DOCKER_HUB_PASSWORD: ${{ inputs.docker_hub_password }}
DOCKER_HUB_USERNAME: ${{ inputs.docker_hub_username }}
GCP_GSM_CREDENTIALS: ${{ inputs.gcp_gsm_credentials }}
GCP_INTEGRATION_TESTER_CREDENTIALS: ${{ inputs.gcp_integration_tester_credentials }}
GCS_CREDENTIALS: ${{ inputs.gcs_credentials }}
METADATA_SERVICE_BUCKET_NAME: ${{ inputs.metadata_service_bucket_name }}
METADATA_SERVICE_GCS_CREDENTIALS: ${{ inputs.metadata_service_gcs_credentials }}
PRODUCTION: ${{ inputs.production }}
PYTHON_REGISTRY_TOKEN: ${{ inputs.python_registry_token }}
PYTHON_REGISTRY_URL: ${{ inputs.python_registry_url }}
S3_BUILD_CACHE_ACCESS_KEY_ID: ${{ inputs.s3_build_cache_access_key_id }}
S3_BUILD_CACHE_SECRET_KEY: ${{ inputs.s3_build_cache_secret_key }}
SENTRY_DSN: ${{ inputs.sentry_dsn }}
SLACK_WEBHOOK: ${{ inputs.slack_webhook_url }}
SPEC_CACHE_BUCKET_NAME: ${{ inputs.spec_cache_bucket_name }}
SPEC_CACHE_GCS_CREDENTIALS: ${{ inputs.spec_cache_gcs_credentials }}
with:
shell: bash
max_attempts: ${{ inputs.max_attempts }}
retry_wait_seconds: ${{ inputs.retry_wait_seconds }}
# 360mn > 6 hours: it's the GitHub runner max job duration
timeout_minutes: 360
command: |
airbyte-ci --disable-update-check --disable-dagger-run --is-ci --gha-workflow-run-id=${{ github.run_id }} ${{ inputs.subcommand }} ${{ inputs.options }}
- name: Stop Engine
id: stop-engine
if: always()
shell: bash
run: |
mapfile -t containers < <(docker ps --filter name="dagger-engine-*" -q)
if [[ "${#containers[@]}" -gt 0 ]]; then
# give 5mn to the Dagger Engine to push cache data to Dagger Cloud
docker stop -t 300 "${containers[@]}";
fi
- name: Collect dagger engine logs
id: collect-dagger-engine-logs
if: always()
uses: jwalton/gh-docker-logs@v2
with:
dest: "./dagger_engine_logs"
images: "registry.dagger.io/engine"
- name: Tar logs
id: tar-logs
if: always()
shell: bash
run: tar cvzf ./dagger_engine_logs.tgz ./dagger_engine_logs
- name: Upload logs to GitHub
id: upload-dagger-engine-logs
if: always()
uses: actions/upload-artifact@v4
with:
name: ${{ github.job }}_dagger_engine_logs.tgz
path: ./dagger_engine_logs.tgz
retention-days: 7

9
actions/ql/test/query-tests/Security/CWE-078/.github/workflows/comment_issue.yml vendored Normal file
View File

@@ -0,0 +1,9 @@
on: issue_comment
jobs:
test1:
runs-on: ubuntu-latest
steps:
- uses: ruby/setup-ruby@v2
with:
ruby-version: ${{ github.event.comment.body }}

87
actions/ql/test/query-tests/Security/CWE-078/.github/workflows/documentation.yml vendored Normal file
View File

@@ -0,0 +1,87 @@
name: Documentation
on:
workflow_dispatch:
pull_request:
jobs:
parse_commit_info:
runs-on: ubuntu-latest
outputs:
can_deploy: ${{ steps.decide.outputs.can_deploy }}
deploy_to: ${{ steps.decide.outputs.deploy_to }}
steps:
- name: Checkout Code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Copy build utils
run: |
cp -r .github/utils ../utils
- name: Decide Whether to Build and/or Release
id: decide
run: |
set -xe
CAN_DEPLOY=$(python ../utils/please.py can_i_deploy_documentation)
DEPLOY_TO=$(python ../utils/please.py where_can_i_deploy_documentation)
echo "can_deploy=$CAN_DEPLOY" >> $GITHUB_OUTPUT
echo "deploy_to=$DEPLOY_TO" >> $GITHUB_OUTPUT
echo github.ref ${{ github.ref }}
build-documentation:
runs-on: ubuntu-latest
needs: parse_commit_info
strategy:
matrix:
python-version: [3.11]
steps:
- name: Checkout Code
uses: actions/checkout@v4
- name: Setup Python
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
- name: Install Quarto
uses: quarto-dev/quarto-actions/setup@v2
with:
version: pre-release
- name: Install Package
shell: bash
run: |
make doc-deps
- name: Environment Information
shell: bash
run: |
ls -la
ls -la doc
pip list
- name: Build docs
shell: bash
run: |
pushd doc; make doc; popd
- name: Environment Information
shell: bash
run: |
ls -la doc
cat doc/_variables.yml
ls -la doc/reference
- name: Deploy to Documentation to a Branch
uses: JamesIves/github-pages-deploy-action@v4
if: contains(needs.parse_commit_info.outputs.can_deploy, 'true')
with:
folder: doc/_site
branch: ${{ needs.parse_commit_info.outputs.deploy_to }}
commit-message: ${{ github.event.head_commit.message }}

63
actions/ql/test/query-tests/Security/CWE-078/.github/workflows/test1.yml vendored Normal file
View File

@@ -0,0 +1,63 @@
name: Finalize connector rollout
on:
repository_dispatch:
types: [finalize-connector-rollout]
workflow_dispatch:
inputs:
connector_name:
description: "Connector name"
required: true
action:
description: "Action to perform"
required: true
options: ["promote", "rollback"]
jobs:
finalize_rollout:
name: Finalize connector rollout
runs-on: connector-publish-large
env:
ACTION: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.action || github.event.client_payload.action }}
steps:
- name: Check action value
run: |
if [[ "${ACTION}" != "promote" && "${ACTION}" != "rollback" ]]; then
echo "Invalid action: ${ACTION}"
exit 1
fi
shell: bash
- name: Checkout Airbyte
uses: actions/checkout@v4
- name: Promote {{ github.event.client_payload.connector_name }} release candidate
id: promote-release-candidate
if: ${{ env.ACTION == 'promote' }}
uses: ./.github/actions/run-airbyte-ci
with:
context: "manual"
dagger_cloud_token: ${{ secrets.DAGGER_CLOUD_TOKEN_2 }}
docker_hub_password: ${{ secrets.DOCKER_HUB_PASSWORD }}
docker_hub_username: ${{ secrets.DOCKER_HUB_USERNAME }}
gcp_gsm_credentials: ${{ secrets.GCP_GSM_CREDENTIALS }}
gcs_credentials: ${{ secrets.METADATA_SERVICE_PROD_GCS_CREDENTIALS }}
github_token: ${{ secrets.GITHUB_TOKEN }}
metadata_service_gcs_credentials: ${{ secrets.METADATA_SERVICE_PROD_GCS_CREDENTIALS }}
sentry_dsn: ${{ secrets.SENTRY_AIRBYTE_CI_DSN }}
slack_webhook_url: ${{ secrets.PUBLISH_ON_MERGE_SLACK_WEBHOOK }}
subcommand: "connectors --name=${{ github.event.client_payload.connector_name }} publish --promote-release-candidate"
- name: Rollback {{ github.event.client_payload.connector_name }} release candidate
id: rollback-release-candidate
if: ${{ env.ACTION == 'rollback' }}
uses: ./.github/actions/run-airbyte-ci
with:
context: "manual"
dagger_cloud_token: ${{ secrets.DAGGER_CLOUD_TOKEN_2 }}
docker_hub_password: ${{ secrets.DOCKER_HUB_PASSWORD }}
docker_hub_username: ${{ secrets.DOCKER_HUB_USERNAME }}
gcp_gsm_credentials: ${{ secrets.GCP_GSM_CREDENTIALS }}
gcs_credentials: ${{ secrets.METADATA_SERVICE_PROD_GCS_CREDENTIALS }}
github_token: ${{ secrets.GITHUB_TOKEN }}
metadata_service_gcs_credentials: ${{ secrets.METADATA_SERVICE_PROD_GCS_CREDENTIALS }}
sentry_dsn: ${{ secrets.SENTRY_AIRBYTE_CI_DSN }}
slack_webhook_url: ${{ secrets.PUBLISH_ON_MERGE_SLACK_WEBHOOK }}
spec_cache_gcs_credentials: ${{ secrets.SPEC_CACHE_SERVICE_ACCOUNT_KEY_PUBLISH }}
subcommand: "connectors --name=${{ github.event.client_payload.connector_name }} publish --rollback-release-candidate"

6
actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected Normal file
View File

@@ -0,0 +1,6 @@
edges
nodes
| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body |
subpaths
#select
| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential command injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment |

1
actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE-078/CommandInjectionCritical.ql

5
actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected Normal file
View File

@@ -0,0 +1,5 @@
edges
nodes
| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body |
subpaths
#select

1
actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE-078/CommandInjectionMedium.ql

74
actions/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml vendored Normal file
View File

@@ -0,0 +1,74 @@
name: Argument injection
on:
pull_request_target:
jobs:
test1:
runs-on: ubuntu-latest
env:
TITLE: ${{github.event.pull_request.title}}
steps:
- name: Checkout
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.ref }}
- run: |
# NOT VULNERABLE
echo "s/FOO/$TITLE/g"
- run: |
# VULNERABLE
sed "s/FOO/$TITLE/g"
- run: |
# VULNERABLE
echo "foo" | sed "s/FOO/$TITLE/g" > bar
- run: |
# VULNERABLE
echo $(echo "foo" | sed "s/FOO/$TITLE/g" > bar)
- run: |
# VULNERABLE
awk "BEGIN {$TITLE}"
- run: |
# VULNERABLE
sed -i "s/git_branch = .*/git_branch = \"$GITHUB_HEAD_REF\"/" config.json
- run: |
# VULNERABLE
sed -i "s|git_branch = .*|git_branch = \"$GITHUB_HEAD_REF\"|" config.json
- run: |
# VULNERABLE
sed -e 's#<branch_to_sync>#${TITLE}#' \
-e 's#<sot_repo>#${{ env.sot_repo }}#' \
-e 's#<destination_repo>#TITLE#' \
.github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky
- run: |
# VULNERABLE
sed -e 's#<branch_to_sync>#TITLE#' \
-e 's#<sot_repo>#${{ env.sot_repo }}#' \
-e 's#<destination_repo>#${TITLE}#' \
.github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky
- run: |
# VULNERABLE
BODY=$(git log --format=%s)
sed "s/FOO/$BODY/g" > /tmp/foo
- run: |
# VULNERABLE
BODY=$(git diff --name-only HEAD)
sed "s/FOO/$BODY/g" > /tmp/foo
- run: |
# VULNERABLE
BODY=$(git diff --name-only HEAD )
sed "s/FOO/$BODY/g" > /tmp/foo
- run: |
# VULNERABLE
BODY=$(git diff --name-only HEAD^ | xargs)
sed "s/FOO/$BODY/g" > /tmp/foo
- run: |
# NOT VULNERABLE
echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT
- run: |
# NOT VULNERABLE
git log -1 --pretty=%s
- run: |
# NOT VULNERABLE
BODY=$(git log --format=%s)
sed -E 's/\s+/\n/g' <<<"$BODY"

35
actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected Normal file
View File

@@ -0,0 +1,35 @@
edges
| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | provenance | Config |
| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | provenance | Config |
| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | provenance | Config |
| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | provenance | Config |
| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | Config |
| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | Config |
nodes
| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | semmle.label | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n |
| .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | semmle.label | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n |
| .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | semmle.label | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n |
| .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | semmle.label | # VULNERABLE\nawk "BEGIN {$TITLE}"\n |
| .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | semmle.label | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n |
| .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | semmle.label | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n |
| .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n |
| .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n |
| .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n |
| .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n |
| .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n |
| .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n |
subpaths
#select
| .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | awk | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |

1
actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE-088/ArgumentInjectionCritical.ql

23
actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected Normal file
View File

@@ -0,0 +1,23 @@
edges
| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | provenance | Config |
| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | provenance | Config |
| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | provenance | Config |
| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | provenance | Config |
| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | Config |
| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | Config |
nodes
| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
| .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | semmle.label | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n |
| .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | semmle.label | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n |
| .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | semmle.label | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n |
| .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | semmle.label | # VULNERABLE\nawk "BEGIN {$TITLE}"\n |
| .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | semmle.label | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n |
| .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | semmle.label | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n |
| .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n |
| .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n |
| .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n |
| .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n |
| .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n |
| .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n |
subpaths
#select

1
actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE-088/ArgumentInjectionMedium.ql

7
actions/ql/test/query-tests/Security/CWE-094/.github/actions/action1/action.yml vendored Normal file
View File

@@ -0,0 +1,7 @@
name: 'Test'
description: 'Test'
runs:
using: 'composite'
steps:
- shell: bash
run: echo '${{ github.event.pull_request.body }}'

17
actions/ql/test/query-tests/Security/CWE-094/.github/actions/action2/action.yml vendored Normal file
View File

@@ -0,0 +1,17 @@
name: 'Hello World'
description: 'Greet someone and record the time'
inputs:
who-to-greet: # id of input
description: 'Who to greet'
required: true
default: 'World'
outputs:
time: # id of output
description: 'The time we greeted you'
runs:
using: 'docker'
steps: # this is actually invalid, used to test we correctly identify composite actions
- run: echo '${{ github.event.comment.body }}'
image: 'Dockerfile'
args:
- ${{ inputs.who-to-greet }}

9
actions/ql/test/query-tests/Security/CWE-094/.github/actions/action3/action.yml vendored Normal file
View File

@@ -0,0 +1,9 @@
name: 'Test'
description: 'Test'
runs:
using: 'composite'
steps:
- shell: bash
env:
FOO: ${{ secrets.FOO}}
run: echo '${{ github.event.pull_request.body }}'

7
actions/ql/test/query-tests/Security/CWE-094/.github/actions/action4/action.yml vendored Normal file
View File

@@ -0,0 +1,7 @@
name: 'Test'
description: 'Test'
runs:
using: 'composite'
steps:
- shell: bash
run: echo '${{ github.event.pull_request.body }}'

34
actions/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml vendored Normal file
View File

@@ -0,0 +1,34 @@
name: 'Test'
description: 'Test'
inputs:
taint:
description: 'text'
required: true
default: 'Foo'
outputs:
result:
description: "result"
value: ${{ steps.step.outputs.result }}
result2:
description: "result"
value: ${{ steps.step2.outputs.result2 }}
runs:
using: 'composite'
steps:
- shell: bash
run: echo '${{ github.event.issue.body }}'
- name: Step
id: step
env:
FOO: ${{ inputs.taint }}
shell: bash
run: echo "result=$(echo $FOO)" >> $GITHUB_OUTPUT
- id: step2
env:
FOO2: ${{ github.event.issue.body }}
shell: bash
run: echo "result2=$(echo $FOO2)" >> $GITHUB_OUTPUT
- name: Sink
id: sink
shell: bash
run: echo "${{ inputs.taint }}"

251
actions/ql/test/query-tests/Security/CWE-094/.github/actions/action6/action.yml vendored Normal file
View File

@@ -0,0 +1,251 @@
# Ultralytics Actions 🚀, AGPL-3.0 License https://ultralytics.com/license
name: "Ultralytics Actions"
author: "Ultralytics"
description: "Optimize code and docs with official Ultralytics Actions for syntax, spelling, and link checks."
branding:
icon: "code"
color: "blue"
inputs:
token:
description: "GitHub token"
required: true
labels:
description: "Run issue and PR auto-labeling"
required: false
default: "false"
python:
description: "Run Python formatting"
required: false
default: "false"
markdown:
description: "Run Markdown formatting (deprecated in favor of prettier)"
required: false
default: "false"
prettier:
description: "Run Prettier formatting for JavaScript, JSX, Angular, Vue, Flow, TypeScript, CSS, HTML, JSON, GraphQL, Markdown, YAML"
required: false
default: "false"
swift:
description: "Run Swift formatting"
required: false
default: "false"
spelling:
description: "Run Spelling checks"
required: false
default: "false"
links:
description: "Run Broken Links checks"
required: false
default: "false"
summary:
description: "Run PR Summary"
required: false
default: "false"
openai_api_key:
description: "OpenAI API Key"
required: false
openai_model:
description: "OpenAI Model"
required: false
default: "gpt-4o"
first_issue_response:
description: "Example response to a new issue"
required: false
first_pr_response:
description: "Example response to a new PR"
required: false
github_username:
description: "GitHub username for commits"
required: false
default: "UltralyticsAssistant"
github_email:
description: "GitHub email for commits"
required: false
default: "web@ultralytics.com"
runs:
using: "composite"
steps:
- uses: astral-sh/setup-uv@v3
- name: Install Dependencies
# Note tomli required for codespell with pyproject.toml
# For debug:
# python -m pip install --upgrade pip wheel
# pip install -q git+https://github.com/ultralytics/actions@main codespell tomli
run: |
packages="ultralytics-actions"
if [ "${{ inputs.spelling }}" = "true" ]; then
packages="$packages codespell tomli"
fi
# On macOS, don't use sudo as it can cause environment issues
if [ "$(uname)" = "Darwin" ]; then
pip install -q $packages
else
sudo env "PATH=$PATH" uv pip install --system $packages
fi
ultralytics-actions-info
shell: bash
# Checkout Repository ----------------------------------------------------------------------------------------------
- name: Checkout Repository
if: github.event.action != 'closed'
uses: actions/checkout@v4
with:
repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }}
token: ${{ inputs.token }}
ref: ${{ github.head_ref || github.ref }}
fetch-depth: 0
# PR Summary -------------------------------------------------------------------------------------------------------
- name: PR Summary
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.summary == 'true' && github.event.action != 'synchronize'
env:
GITHUB_TOKEN: ${{ inputs.token }}
OPENAI_API_KEY: ${{ inputs.openai_api_key }}
OPENAI_MODEL: ${{ inputs.openai_model }}
run: |
ultralytics-actions-summarize-pr
shell: bash
continue-on-error: true
# Python formatting ------------------------------------------------------------------------------------------------
# Ignores the following Docs rules to match Google-style docstrings:
# D100: Missing docstring in public module
# D104: Missing docstring in public package
# D203: 1 blank line required before class docstring
# D205: 1 blank line required between summary line and description
# D212: Multi-line docstring summary should start at the first line
# D213: Multi-line docstring summary should start at the second line
# D401: First line of docstring should be in imperative mood
# D406: Section name should end with a newline
# D407: Missing dashed underline after section
# D413: Missing blank line after last section
# --target-version is Python 3.8 for --extend-select UP (pyupgrade)
- name: Run Python
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.python == 'true' && github.event.action != 'closed'
run: |
ruff format \
--line-length 120 \
. || true
ruff check \
--fix \
--unsafe-fixes \
--extend-select I,D,UP \
--target-version py38 \
--ignore D100,D104,D203,D205,D212,D213,D401,D406,D407,D413 \
. || true
docformatter \
--wrap-summaries 120 \
--wrap-descriptions 120 \
--pre-summary-newline \
--close-quotes-on-newline \
--in-place \
--recursive \
.
shell: bash
continue-on-error: true
# Prettier (JavaScript, JSX, Angular, Vue, Flow, TypeScript, CSS, HTML, JSON, GraphQL, Markdown, YAML) -------------
- name: Run Prettier
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && (inputs.prettier == 'true' || inputs.markdown == 'true') && github.event.action != 'closed'
run: |
ultralytics-actions-update-markdown-code-blocks
npm install --global prettier
npx prettier --write "**/*.{js,jsx,ts,tsx,css,less,scss,json,yml,yaml,html,vue,svelte}" '!**/*lock.{json,yaml,yml}' '!**/*.lock' '!**/model.json'
# Handle Markdown separately
find . -name "*.md" ! -path "*/docs/*" -exec npx prettier --write {} +
if [ -d "./docs" ]; then
find ./docs -name "*.md" ! -path "*/reference/*" -exec npx prettier --tab-width 4 --write {} +
fi
shell: bash
continue-on-error: true
# - name: Fix MkDocs reference section changes
# if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && (inputs.prettier == 'true' || inputs.markdown == 'true') && github.event.action != 'closed'
# run: |
# from pathlib import Path
# for file in Path("./docs").rglob('*.md'):
# content = file.read_text()
# updated_content = content.replace(".\_","._")
# file.write_text(updated_content)
# shell: python
# continue-on-error: true
# Swift formatting -------------------------------------------------------------------------------------------------
- name: Run Swift Formatter
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.swift == 'true' && github.event.action != 'closed'
run: |
brew install swift-format
swift-format --in-place --recursive .
shell: bash
continue-on-error: true
# Spelling ---------------------------------------------------------------------------------------------------------
- name: Run Codespell
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.spelling == 'true' && github.event.action != 'closed'
run: |
codespell \
--write-changes \
--ignore-words-list "crate,nd,ned,strack,dota,ane,segway,fo,gool,winn,commend,bloc,nam,afterall,skelton,goin" \
--skip "*.pt,*.pth,*.torchscript,*.onnx,*.tflite,*.pb,*.bin,*.param,*.mlmodel,*.engine,*.npy,*.data*,*.csv,*pnnx*,*venv*,*translat*,*lock*,__pycache__*,*.ico,*.jpg,*.png,*.mp4,*.mov,/runs,/.git,./docs/??/*.md,./docs/mkdocs_??.yml"
shell: bash
continue-on-error: true
# Autolabel Issues and PRs (run before commit changes in case commit fails) ----------------------------------------
- name: Autolabel Issues and PRs
if: inputs.labels == 'true' && (github.event.action == 'opened' || github.event.action == 'created')
env:
GITHUB_TOKEN: ${{ inputs.token }}
FIRST_ISSUE_RESPONSE: ${{ inputs.first_issue_response }}
FIRST_PR_RESPONSE: ${{ inputs.first_pr_response }}
OPENAI_API_KEY: ${{ inputs.openai_api_key }}
OPENAI_MODEL: ${{ inputs.openai_model }}
run: |
ultralytics-actions-first-interaction
shell: bash
continue-on-error: true
# Commit Changes ---------------------------------------------------------------------------------------------------
- name: Commit and Push Changes
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && github.event.action != 'closed'
run: |
git config --global user.name "${{ inputs.github_username }}"
git config --global user.email "${{ inputs.github_email }}"
git pull origin ${{ github.head_ref || github.ref }}
git add .
git reset HEAD -- .github/workflows/ # workflow changes are not permitted with default token
if ! git diff --staged --quiet; then
git commit -m "Auto-format by https://ultralytics.com/actions"
git push
else
echo "No changes to commit"
fi
shell: bash
continue-on-error: false
# Broken links -----------------------------------------------------------------------------------------------------
- name: Broken Link Checker
if: inputs.links == 'true' && github.event.action != 'closed'
uses: lycheeverse/lychee-action@v2.0.2
with:
# Check all markdown and html files in repo. Ignores the following status codes to reduce false positives:
# - 403(OpenVINO, "forbidden")
# - 429(Instagram, "too many requests")
# - 500(Zenodo, "cached")
# - 502(Zenodo, "bad gateway")
# - 999(LinkedIn, "unknown status code")
args: |
--scheme https
--timeout 60
--insecure
--accept 403,429,500,502,999
--exclude-all-private
--exclude "https?://(www\.)?(github\.com|linkedin\.com|twitter\.com|instagram\.com|kaggle\.com|fonts\.gstatic\.com|url\.com)"
"./**/*.md"
"./**/*.html"
token: ${{ inputs.token }}
output: ../lychee/results.md
fail: true
continue-on-error: false

252
actions/ql/test/query-tests/Security/CWE-094/.github/actions/action7/action.yml vendored Normal file
View File

@@ -0,0 +1,252 @@
# Ultralytics Actions 🚀, AGPL-3.0 License https://ultralytics.com/license
name: "Ultralytics Actions"
author: "Ultralytics"
description: "Optimize code and docs with official Ultralytics Actions for syntax, spelling, and link checks."
branding:
icon: "code"
color: "blue"
inputs:
token:
description: "GitHub token"
required: true
labels:
description: "Run issue and PR auto-labeling"
required: false
default: "false"
python:
description: "Run Python formatting"
required: false
default: "false"
markdown:
description: "Run Markdown formatting (deprecated in favor of prettier)"
required: false
default: "false"
prettier:
description: "Run Prettier formatting for JavaScript, JSX, Angular, Vue, Flow, TypeScript, CSS, HTML, JSON, GraphQL, Markdown, YAML"
required: false
default: "false"
swift:
description: "Run Swift formatting"
required: false
default: "false"
spelling:
description: "Run Spelling checks"
required: false
default: "false"
links:
description: "Run Broken Links checks"
required: false
default: "false"
summary:
description: "Run PR Summary"
required: false
default: "false"
openai_api_key:
description: "OpenAI API Key"
required: false
openai_model:
description: "OpenAI Model"
required: false
default: "gpt-4o"
first_issue_response:
description: "Example response to a new issue"
required: false
first_pr_response:
description: "Example response to a new PR"
required: false
github_username:
description: "GitHub username for commits"
required: false
default: "UltralyticsAssistant"
github_email:
description: "GitHub email for commits"
required: false
default: "web@ultralytics.com"
runs:
using: "composite"
steps:
- uses: astral-sh/setup-uv@v3
- name: Install Dependencies
# Note tomli required for codespell with pyproject.toml
# For debug:
# python -m pip install --upgrade pip wheel
# pip install -q git+https://github.com/ultralytics/actions@main codespell tomli
run: |
packages="ultralytics-actions"
if [ "${{ inputs.spelling }}" = "true" ]; then
packages="$packages codespell tomli"
fi
# On macOS, don't use sudo as it can cause environment issues
if [ "$(uname)" = "Darwin" ]; then
pip install -q $packages
else
sudo env "PATH=$PATH" uv pip install --system $packages
fi
ultralytics-actions-info
shell: bash
# Checkout Repository ----------------------------------------------------------------------------------------------
- name: Checkout Repository
if: github.event.action != 'closed'
uses: actions/checkout@v4
with:
repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }}
token: ${{ inputs.token }}
ref: ${{ github.head_ref || github.ref }}
fetch-depth: 0
# PR Summary -------------------------------------------------------------------------------------------------------
- name: PR Summary
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.summary == 'true' && github.event.action != 'synchronize'
env:
GITHUB_TOKEN: ${{ inputs.token }}
OPENAI_API_KEY: ${{ inputs.openai_api_key }}
OPENAI_MODEL: ${{ inputs.openai_model }}
run: |
ultralytics-actions-summarize-pr
shell: bash
continue-on-error: true
# Python formatting ------------------------------------------------------------------------------------------------
# Ignores the following Docs rules to match Google-style docstrings:
# D100: Missing docstring in public module
# D104: Missing docstring in public package
# D203: 1 blank line required before class docstring
# D205: 1 blank line required between summary line and description
# D212: Multi-line docstring summary should start at the first line
# D213: Multi-line docstring summary should start at the second line
# D401: First line of docstring should be in imperative mood
# D406: Section name should end with a newline
# D407: Missing dashed underline after section
# D413: Missing blank line after last section
# --target-version is Python 3.8 for --extend-select UP (pyupgrade)
- name: Run Python
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.python == 'true' && github.event.action != 'closed'
run: |
ruff format \
--line-length 120 \
. || true
ruff check \
--fix \
--unsafe-fixes \
--extend-select I,D,UP \
--target-version py38 \
--ignore D100,D104,D203,D205,D212,D213,D401,D406,D407,D413 \
. || true
docformatter \
--wrap-summaries 120 \
--wrap-descriptions 120 \
--pre-summary-newline \
--close-quotes-on-newline \
--in-place \
--recursive \
.
shell: bash
continue-on-error: true
# Prettier (JavaScript, JSX, Angular, Vue, Flow, TypeScript, CSS, HTML, JSON, GraphQL, Markdown, YAML) -------------
- name: Run Prettier
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && (inputs.prettier == 'true' || inputs.markdown == 'true') && github.event.action != 'closed'
run: |
ultralytics-actions-update-markdown-code-blocks
npm install --global prettier
npx prettier --write "**/*.{js,jsx,ts,tsx,css,less,scss,json,yml,yaml,html,vue,svelte}" '!**/*lock.{json,yaml,yml}' '!**/*.lock' '!**/model.json'
# Handle Markdown separately
find . -name "*.md" ! -path "*/docs/*" -exec npx prettier --write {} +
if [ -d "./docs" ]; then
find ./docs -name "*.md" ! -path "*/reference/*" -exec npx prettier --tab-width 4 --write {} +
fi
shell: bash
continue-on-error: true
# - name: Fix MkDocs reference section changes
# if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && (inputs.prettier == 'true' || inputs.markdown == 'true') && github.event.action != 'closed'
# run: |
# from pathlib import Path
# for file in Path("./docs").rglob('*.md'):
# content = file.read_text()
# updated_content = content.replace(".\_","._")
# file.write_text(updated_content)
# shell: python
# continue-on-error: true
# Swift formatting -------------------------------------------------------------------------------------------------
- name: Run Swift Formatter
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.swift == 'true' && github.event.action != 'closed'
run: |
brew install swift-format
swift-format --in-place --recursive .
shell: bash
continue-on-error: true
# Spelling ---------------------------------------------------------------------------------------------------------
- name: Run Codespell
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.spelling == 'true' && github.event.action != 'closed'
run: |
codespell \
--write-changes \
--ignore-words-list "crate,nd,ned,strack,dota,ane,segway,fo,gool,winn,commend,bloc,nam,afterall,skelton,goin" \
--skip "*.pt,*.pth,*.torchscript,*.onnx,*.tflite,*.pb,*.bin,*.param,*.mlmodel,*.engine,*.npy,*.data*,*.csv,*pnnx*,*venv*,*translat*,*lock*,__pycache__*,*.ico,*.jpg,*.png,*.mp4,*.mov,/runs,/.git,./docs/??/*.md,./docs/mkdocs_??.yml"
shell: bash
continue-on-error: true
# Autolabel Issues and PRs (run before commit changes in case commit fails) ----------------------------------------
- name: Autolabel Issues and PRs
if: inputs.labels == 'true' && (github.event.action == 'opened' || github.event.action == 'created')
env:
GITHUB_TOKEN: ${{ inputs.token }}
FIRST_ISSUE_RESPONSE: ${{ inputs.first_issue_response }}
FIRST_PR_RESPONSE: ${{ inputs.first_pr_response }}
OPENAI_API_KEY: ${{ inputs.openai_api_key }}
OPENAI_MODEL: ${{ inputs.openai_model }}
run: |
ultralytics-actions-first-interaction
shell: bash
continue-on-error: true
# Commit Changes ---------------------------------------------------------------------------------------------------
- name: Commit and Push Changes
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && github.event.action != 'closed'
run: |
git config --global user.name "${{ inputs.github_username }}"
git config --global user.email "${{ inputs.github_email }}"
# this action is not called in the test
git pull origin ${{ github.head_ref || github.ref }}
git add .
git reset HEAD -- .github/workflows/ # workflow changes are not permitted with default token
if ! git diff --staged --quiet; then
git commit -m "Auto-format by https://ultralytics.com/actions"
git push
else
echo "No changes to commit"
fi
shell: bash
continue-on-error: false
# Broken links -----------------------------------------------------------------------------------------------------
- name: Broken Link Checker
if: inputs.links == 'true' && github.event.action != 'closed'
uses: lycheeverse/lychee-action@v2.0.2
with:
# Check all markdown and html files in repo. Ignores the following status codes to reduce false positives:
# - 403(OpenVINO, "forbidden")
# - 429(Instagram, "too many requests")
# - 500(Zenodo, "cached")
# - 502(Zenodo, "bad gateway")
# - 999(LinkedIn, "unknown status code")
args: |
--scheme https
--timeout 60
--insecure
--accept 403,429,500,502,999
--exclude-all-private
--exclude "https?://(www\.)?(github\.com|linkedin\.com|twitter\.com|instagram\.com|kaggle\.com|fonts\.gstatic\.com|url\.com)"
"./**/*.md"
"./**/*.html"
token: ${{ inputs.token }}
output: ../lychee/results.md
fail: true
continue-on-error: false

47
actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml vendored Normal file
View File

@@ -0,0 +1,47 @@
name: Clone repository
description: Clone repository
inputs:
title:
description: Title
required: true
forked-pr:
description: Whether the event is operating from a forked PR
required: true
fetch-depth:
description: Fetch depth for actions/checkout
default: "1"
outputs:
result:
description: "result"
value: ${{ steps.out.outputs.replaced }}
runs:
using: composite
steps:
- shell: bash
run: echo "${{ inputs.title }}"
- uses: frabert/replace-string-action@v2.5
id: out
with:
pattern: "\""
string: ${{ inputs.title }}
replace-with: 'foo'
flags: g
- id: out2
env:
FOO: ${{ inputs.title }}
shell: bash
run: echo "result=$(echo $FOO)" >> $GITHUB_OUTPUT
- name: Clone branch
if: "!fromJSON(inputs.forked-pr)"
uses: actions/checkout@v3
with:
fetch-depth: ${{ inputs.fetch-depth }}
- name: Clone forked PR
if: fromJSON(inputs.forked-pr)
uses: actions/checkout@v3
with:
ref: refs/pull/${{ github.event.number }}/merge
fetch-depth: ${{ inputs.fetch-depth }}

258
actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/ultralytics/actions/action.yaml vendored Normal file
View File

@@ -0,0 +1,258 @@
# Ultralytics Actions 🚀, AGPL-3.0 License https://ultralytics.com/license
name: "Ultralytics Actions"
author: "Ultralytics"
description: "Optimize code and docs with official Ultralytics Actions for syntax, spelling, and link checks."
branding:
icon: "code"
color: "blue"
inputs:
token:
description: "GitHub token"
required: true
labels:
description: "Run issue and PR auto-labeling"
required: false
default: "false"
python:
description: "Run Python formatting"
required: false
default: "false"
markdown:
description: "Run Markdown formatting (deprecated in favor of prettier)"
required: false
default: "false"
prettier:
description: "Run Prettier formatting for JavaScript, JSX, Angular, Vue, Flow, TypeScript, CSS, HTML, JSON, GraphQL, Markdown, YAML"
required: false
default: "false"
swift:
description: "Run Swift formatting"
required: false
default: "false"
spelling:
description: "Run Spelling checks"
required: false
default: "false"
links:
description: "Run Broken Links checks"
required: false
default: "false"
summary:
description: "Run PR Summary"
required: false
default: "false"
openai_api_key:
description: "OpenAI API Key"
required: false
openai_model:
description: "OpenAI Model"
required: false
default: "gpt-4o"
first_issue_response:
description: "Example response to a new issue"
required: false
first_pr_response:
description: "Example response to a new PR"
required: false
github_username:
description: "GitHub username for commits"
required: false
default: "UltralyticsAssistant"
github_email:
description: "GitHub email for commits"
required: false
default: "web@ultralytics.com"
body:
description: "PR body"
required: false
default: ""
runs:
using: "composite"
steps:
- uses: astral-sh/setup-uv@v3
- name: Install Dependencies
# Note tomli required for codespell with pyproject.toml
# For debug:
# python -m pip install --upgrade pip wheel
# pip install -q git+https://github.com/ultralytics/actions@main codespell tomli
run: |
packages="ultralytics-actions"
if [ "${{ inputs.spelling }}" = "true" ]; then
packages="$packages codespell tomli"
fi
# On macOS, don't use sudo as it can cause environment issues
if [ "$(uname)" = "Darwin" ]; then
pip install -q $packages
else
sudo env "PATH=$PATH" uv pip install --system $packages
fi
ultralytics-actions-info
shell: bash
- shell: bash
run: |
echo "${{ inputs.body }}"
# Checkout Repository ----------------------------------------------------------------------------------------------
- name: Checkout Repository
if: github.event.action != 'closed'
uses: actions/checkout@v4
with:
repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }}
token: ${{ inputs.token }}
ref: ${{ github.head_ref || github.ref }}
fetch-depth: 0
# PR Summary -------------------------------------------------------------------------------------------------------
- name: PR Summary
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.summary == 'true' && github.event.action != 'synchronize'
env:
GITHUB_TOKEN: ${{ inputs.token }}
OPENAI_API_KEY: ${{ inputs.openai_api_key }}
OPENAI_MODEL: ${{ inputs.openai_model }}
run: |
ultralytics-actions-summarize-pr
shell: bash
continue-on-error: true
# Python formatting ------------------------------------------------------------------------------------------------
# Ignores the following Docs rules to match Google-style docstrings:
# D100: Missing docstring in public module
# D104: Missing docstring in public package
# D203: 1 blank line required before class docstring
# D205: 1 blank line required between summary line and description
# D212: Multi-line docstring summary should start at the first line
# D213: Multi-line docstring summary should start at the second line
# D401: First line of docstring should be in imperative mood
# D406: Section name should end with a newline
# D407: Missing dashed underline after section
# D413: Missing blank line after last section
# --target-version is Python 3.8 for --extend-select UP (pyupgrade)
- name: Run Python
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.python == 'true' && github.event.action != 'closed'
run: |
ruff format \
--line-length 120 \
. || true
ruff check \
--fix \
--unsafe-fixes \
--extend-select I,D,UP \
--target-version py38 \
--ignore D100,D104,D203,D205,D212,D213,D401,D406,D407,D413 \
. || true
docformatter \
--wrap-summaries 120 \
--wrap-descriptions 120 \
--pre-summary-newline \
--close-quotes-on-newline \
--in-place \
--recursive \
.
shell: bash
continue-on-error: true
# Prettier (JavaScript, JSX, Angular, Vue, Flow, TypeScript, CSS, HTML, JSON, GraphQL, Markdown, YAML) -------------
- name: Run Prettier
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && (inputs.prettier == 'true' || inputs.markdown == 'true') && github.event.action != 'closed'
run: |
ultralytics-actions-update-markdown-code-blocks
npm install --global prettier
npx prettier --write "**/*.{js,jsx,ts,tsx,css,less,scss,json,yml,yaml,html,vue,svelte}" '!**/*lock.{json,yaml,yml}' '!**/*.lock' '!**/model.json'
# Handle Markdown separately
find . -name "*.md" ! -path "*/docs/*" -exec npx prettier --write {} +
if [ -d "./docs" ]; then
find ./docs -name "*.md" ! -path "*/reference/*" -exec npx prettier --tab-width 4 --write {} +
fi
shell: bash
continue-on-error: true
# - name: Fix MkDocs reference section changes
# if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && (inputs.prettier == 'true' || inputs.markdown == 'true') && github.event.action != 'closed'
# run: |
# from pathlib import Path
# for file in Path("./docs").rglob('*.md'):
# content = file.read_text()
# updated_content = content.replace(".\_","._")
# file.write_text(updated_content)
# shell: python
# continue-on-error: true
# Swift formatting -------------------------------------------------------------------------------------------------
- name: Run Swift Formatter
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.swift == 'true' && github.event.action != 'closed'
run: |
brew install swift-format
swift-format --in-place --recursive .
shell: bash
continue-on-error: true
# Spelling ---------------------------------------------------------------------------------------------------------
- name: Run Codespell
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.spelling == 'true' && github.event.action != 'closed'
run: |
codespell \
--write-changes \
--ignore-words-list "crate,nd,ned,strack,dota,ane,segway,fo,gool,winn,commend,bloc,nam,afterall,skelton,goin" \
--skip "*.pt,*.pth,*.torchscript,*.onnx,*.tflite,*.pb,*.bin,*.param,*.mlmodel,*.engine,*.npy,*.data*,*.csv,*pnnx*,*venv*,*translat*,*lock*,__pycache__*,*.ico,*.jpg,*.png,*.mp4,*.mov,/runs,/.git,./docs/??/*.md,./docs/mkdocs_??.yml"
shell: bash
continue-on-error: true
# Autolabel Issues and PRs (run before commit changes in case commit fails) ----------------------------------------
- name: Autolabel Issues and PRs
if: inputs.labels == 'true' && (github.event.action == 'opened' || github.event.action == 'created')
env:
GITHUB_TOKEN: ${{ inputs.token }}
FIRST_ISSUE_RESPONSE: ${{ inputs.first_issue_response }}
FIRST_PR_RESPONSE: ${{ inputs.first_pr_response }}
OPENAI_API_KEY: ${{ inputs.openai_api_key }}
OPENAI_MODEL: ${{ inputs.openai_model }}
run: |
ultralytics-actions-first-interaction
shell: bash
continue-on-error: true
# Commit Changes ---------------------------------------------------------------------------------------------------
- name: Commit and Push Changes
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && github.event.action != 'closed'
run: |
git config --global user.name "${{ inputs.github_username }}"
git config --global user.email "${{ inputs.github_email }}"
git pull origin ${{ github.head_ref || github.ref }}
git add .
git reset HEAD -- .github/workflows/ # workflow changes are not permitted with default token
if ! git diff --staged --quiet; then
git commit -m "Auto-format by https://ultralytics.com/actions"
git push
else
echo "No changes to commit"
fi
shell: bash
continue-on-error: false
# Broken links -----------------------------------------------------------------------------------------------------
- name: Broken Link Checker
if: inputs.links == 'true' && github.event.action != 'closed'
uses: lycheeverse/lychee-action@v2.0.2
with:
# Check all markdown and html files in repo. Ignores the following status codes to reduce false positives:
# - 403(OpenVINO, "forbidden")
# - 429(Instagram, "too many requests")
# - 500(Zenodo, "cached")
# - 502(Zenodo, "bad gateway")
# - 999(LinkedIn, "unknown status code")
args: |
--scheme https
--timeout 60
--insecure
--accept 403,429,500,502,999
--exclude-all-private
--exclude "https?://(www\.)?(github\.com|linkedin\.com|twitter\.com|instagram\.com|kaggle\.com|fonts\.gstatic\.com|url\.com)"
"./**/*.md"
"./**/*.html"
token: ${{ inputs.token }}
output: ../lychee/results.md
fail: true
continue-on-error: false

29
actions/ql/test/query-tests/Security/CWE-094/.github/workflows/argus_case_study.yml vendored Normal file
View File

@@ -0,0 +1,29 @@
name: Issue Workflow
on:
issues:
types: [opened, edited]
jobs:
redirectIssue:
runs-on: ubuntu-latest
name: Check for issue transfer
env:
content_analysis_response: undefined
steps:
- uses: actions/checkout@v2
- name: Remove conflicting chars
env:
ISSUE_TITLE: ${{github.event.issue.title}}
uses: frabert/replace-string-action@1.2
id: remove_quotations
with:
pattern: "\""
string: ${{env.ISSUE_TITLE}}
replace-with: "-"
- name: Check info
id: check-info
run: |
echo "foo $(pwsh bar ${{steps.remove_quotations.outputs.replaced}}) " >> $GITHUB_ENV

28
actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml vendored Normal file
View File

@@ -0,0 +1,28 @@
name: Preview Deploy
on:
workflow_run:
workflows: ["Preview Build"]
types:
- completed
jobs:
success:
runs-on: ubuntu-latest
if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success'
steps:
- name: download pr artifact
uses: dawidd6/action-download-artifact@v2
with:
workflow: ${{ github.event.workflow_run.workflow_id }}
name: pr
- name: save PR id
id: pr
run: echo "::set-output name=id::$(<pr-id.txt)"
- name: upload surge service
id: deploy
run: |
export DEPLOY_DOMAIN=https://ant-design-pro-preview-pr-${{ steps.pr.outputs.id }}.surge.sh
npx surge --project ./ --domain $DEPLOY_DOMAIN --token ${{ secrets.SURGE_TOKEN }}

23
actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning2.yml vendored Normal file
View File

@@ -0,0 +1,23 @@
name: Preview Deploy
on:
workflow_run:
workflows: ["Preview Build"]
types:
- completed
jobs:
success:
runs-on: ubuntu-latest
steps:
- id: pr
name: Download Artifact
uses: redhat-plumbers-in-action/download-artifact@main
with:
name: README
- name: upload surge service
id: deploy
run: |
echo ${{ steps.pr.outputs.id }}

53
actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning3.yml vendored Normal file
View File

@@ -0,0 +1,53 @@
name: Dependency Tree Reporter
on:
workflow_run:
workflows: [ "Dependency Tree Input Builder" ]
types:
- completed
permissions: {}
jobs:
compare:
permissions:
actions: read
pull-requests: write
runs-on: ubuntu-latest
if: >
${{ github.event.workflow_run.event == 'pull_request' &&
github.event.workflow_run.conclusion == 'success' }}
steps:
- name: Download artifacts
uses: actions/github-script@v7.0.1
with:
script: |
var artifacts = await github.rest.actions.listWorkflowRunArtifacts({
owner: context.repo.owner,
repo: context.repo.repo,
run_id: ${{github.event.workflow_run.id }},
});
console.log(artifacts);
var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
return artifact.name == "input-artifacts"
})[0];
var download = await github.rest.actions.downloadArtifact({
owner: context.repo.owner,
repo: context.repo.repo,
artifact_id: matchArtifact.id,
archive_format: 'zip',
});
var fs = require('fs');
fs.writeFileSync('${{github.workspace}}/input.zip', Buffer.from(download.data));
- name: Set needed env vars in outputs
id: prepare
run: |
unzip input.zip
echo current directory contents
ls -al
echo Reading PR number
tmp=$(<pr)
echo "PR: ${tmp}"
echo "pr=${tmp}" >> $GITHUB_OUTPUT
- run: echo ${{ steps.prepare.outputs.pr }}

22
actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning4.yml vendored Normal file
View File

@@ -0,0 +1,22 @@
# Second Workflow
# It consumes an artifact produced by the First Workflow
on: workflow_run
jobs:
my-second-job:
runs-on: ubuntu-latest
steps:
- name: download pr artifact
uses: dawidd6/action-download-artifact@v2
with:
workflow: ${{github.event.workflow_run.workflow_id}}
run_id: ${{github.event.workflow_run.id}}
name: artifact
# Save PR id to output
- name: Save artifact data
id: artifact
run: echo "::set-output name=id::$(<artifact.txt)"
- name: Use artifact
run: echo ${{ steps.artifact.outputs.id }}

23
actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning5.yml vendored Normal file
View File

@@ -0,0 +1,23 @@
# It consumes an artifact produced by the First Workflow
on: workflow_run
jobs:
my-second-job:
runs-on: ubuntu-latest
steps:
- name: download pr artifact
uses: dawidd6/action-download-artifact@v2
with:
workflow: ${{github.event.workflow_run.workflow_id}}
run_id: ${{github.event.workflow_run.id}}
name: artifact
# Save PR id to output
- name: Save artifact data
id: artifact
uses: juliangruber/read-file-action@v1
with:
path: ./artifact.txt
- name: Use artifact
run: echo ${{ steps.artifact.outputs.content }}

30
actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning6.yml vendored Normal file
View File

@@ -0,0 +1,30 @@
# It consumes an artifact produced by the First Workflow
on: workflow_run
jobs:
my-second-job:
runs-on: ubuntu-latest
steps:
- name: download pr artifact
uses: dawidd6/action-download-artifact@v2
with:
workflow: ${{github.event.workflow_run.workflow_id}}
run_id: ${{github.event.workflow_run.id}}
name: artifact
- id: artifact
run: |
echo "::set-output name=pr_number::$(<artifact.txt)"
mkdir firebase-android
unzip firebase-android.zip -d firebase-android
- name: Use artifact
run: echo ${{ steps.artifact.outputs.pr_number }}
- id: artifact2
run: |
echo "::set-output name=pr_number::$(cat -e artifact.txt)"
mkdir firebase-android
unzip firebase-android.zip -d firebase-android
- name: Use artifact
run: echo ${{ steps.artifact2.outputs.pr_number }}

31
actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning7.yml vendored Normal file
View File

@@ -0,0 +1,31 @@
# It consumes an artifact produced by the First Workflow
on: workflow_run
jobs:
my-second-job:
runs-on: ubuntu-latest
steps:
- name: download pr artifact
uses: dawidd6/action-download-artifact@v2
with:
workflow: ${{github.event.workflow_run.workflow_id}}
run_id: ${{github.event.workflow_run.id}}
name: artifact
- id: artifact
run: |
set -eou pipefail
pr_number=$(cat -e artifact.txt)
pr_number=${pr_number%?}
pr_length=${#pr_number}
only_numbers_re="^[0-9]+$"
if ! [[ $pr_length <= 10 && $pr_number =~ $only_numbers_re ]] ; then
echo "invalid PR number"
exit 1
fi
echo "::set-output name=pr_number::$pr_number"
mkdir firebase-android
unzip firebase-android.zip -d firebase-android
- name: Use artifact
run: echo ${{ steps.artifact.outputs.pr_number }}

22
actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning8.yml vendored Normal file
View File

@@ -0,0 +1,22 @@
# Second Workflow
# It consumes an artifact produced by the First Workflow
on: workflow_run
jobs:
my-second-job:
runs-on: ubuntu-latest
steps:
- name: download pr artifact
uses: dawidd6/action-download-artifact@v2
with:
workflow: ${{github.event.workflow_run.workflow_id}}
run_id: ${{github.event.workflow_run.id}}
name: artifact
# Save PR id to output
- name: Save artifact data
id: artifact
run: echo "::set-output name=id::$(<artifact.txt)"
- name: Use artifact
run: echo ${{ steps.artifact.outputs.id }}

60
actions/ql/test/query-tests/Security/CWE-094/.github/workflows/changed-files.yml vendored Normal file
View File

@@ -0,0 +1,60 @@
name: CI
on:
pull_request:
jobs:
changed_files:
runs-on: ubuntu-latest
name: Test changed-files
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Get changed files 1
id: changed-files1
uses: tj-actions/changed-files@v40
- name: List all changed files 1
run: |
for file in ${{ steps.changed-files1.outputs.all_changed_files }}; do
echo "$file was changed"
done
- name: Get changed files 2
id: changed-files2
uses: tj-actions/changed-files@v41
- name: List all changed files 2
run: |
for file in ${{ steps.changed-files2.outputs.all_changed_files }}; do
echo "$file was changed"
done
- name: Get changed files 3
id: changed-files3
uses: tj-actions/changed-files@v41
with:
safe_output: false
- name: List all changed files 3
run: |
for file in ${{ steps.changed-files3.outputs.all_changed_files }}; do
echo "$file was changed"
done
- name: Get changed files 4
id: changed-files4
uses: tj-actions/changed-files@0874344d6ebbaa00a27da73276ae7162fadcaf69 # v44.3.0
- name: List all changed files 4
run: |
for file in ${{ steps.changed-files4.outputs.all_changed_files }}; do
echo "$file was changed"
done
- name: Get changed files 5
id: changed-files5
uses: tj-actions/changed-files@95690f9ece77c1740f4a55b7f1de9023ed6b1f87 # v39.2.3
- name: List all changed files 5
run: |
for file in ${{ steps.changed-files5.outputs.all_changed_files }}; do
echo "$file was changed"
done

30
actions/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue.yml vendored Normal file
View File

@@ -0,0 +1,30 @@
on: issue_comment
jobs:
echo-chamber:
runs-on: ubuntu-latest
steps:
- run: |
Foo
echo '${{ github.event.comment.body }}'
Bar
echo-chamber2:
runs-on: ubuntu-latest
steps:
- run: echo '${{ github.event.comment.body }}'
- run: echo '${{ github.event.issue.body }}'
- run: echo '${{ github.event.issue.title }}'
echo-chamber3:
runs-on: ubuntu-latest
steps:
- uses: actions/github-script@v3
with:
script: console.log('${{ github.event.comment.body }}')
- uses: actions/github-script@v3
with:
script: console.log('${{ github.event.issue.body }}')
- uses: actions/github-script@v3
with:
script: console.log('${{ github.event.issue.title }}')

12
actions/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue_newline.yml vendored Normal file
View File

@@ -0,0 +1,12 @@
on: issue_comment
# same as comment_issue but this file ends with a line break
jobs:
echo-chamber:
runs-on: ubuntu-latest
steps:
- run: |
LINE 1 echo '${{ github.event.comment.body }}'
LINE 2 echo '${{github.event.issue.body}}'
LINE 3 echo '${{ github.event.comment.body }}'

10
actions/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-1.yml vendored Normal file
View File

@@ -0,0 +1,10 @@
name: Issue Workflow
on:
pull_request_target:
jobs:
test:
name: Test
runs-on: ubuntu-latest
steps:
- uses: .github/actions/action1

10
actions/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-2.yml vendored Normal file
View File

@@ -0,0 +1,10 @@
name: Issue Workflow
on:
pull_request:
jobs:
test:
name: Test
runs-on: ubuntu-latest
steps:
- uses: .github/actions/action1

15
actions/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-3.yml vendored Normal file
View File

@@ -0,0 +1,15 @@
name: Issue Workflow
on:
issue_comment:
jobs:
test:
name: Test
runs-on: ubuntu-latest
steps:
- uses: .github/actions/action5
id: foo
with:
taint: ${{ github.event.comment.body }}
- run: echo "${{ steps.foo.outputs.result }}"
- run: echo "${{ steps.foo.outputs.result2 }}"

18
actions/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-4.yml vendored Normal file
View File

@@ -0,0 +1,18 @@
name: Issue Workflow
on:
pull_request_target:
jobs:
test:
name: Test
runs-on: ubuntu-latest
steps:
- name: Clone branch
id: clone
uses: TestOrg/TestRepo/.github/actions/clone-repo@main
with:
title: ${{ github.event.pull_request.title }}
forked-pr: true
fetch-depth: 2
- run: echo "${{ steps.clone.outputs.result }}"

161
actions/ql/test/query-tests/Security/CWE-094/.github/workflows/cross1.yml vendored Normal file
View File

@@ -0,0 +1,161 @@
# Issues_workflow.yaml (https://github.com/Bughalla/dynamods_dynamo/blob/1c1d3e29ee9bca81b43d78f22bf953100ef67009/.github/workflows/Issues_workflow.yaml#L128-L128)
name: Issue Workflow
on:
issues:
types: [opened,edited]
permissions: {}
jobs:
#This job will check the issue to determine if it should be moved to a different repository
redirectIssue:
name: Check for issue transfer
runs-on: ubuntu-latest
env:
#The 'content_analysis_response' variable is used to store the script response on step one,
#and then checked on step two to know if adding any labels is necessary.
#The initial 'undefined' value will be overridden when the script runs.
content_analysis_response: undefined
ISSUE_TITLE: ${{github.event.issue.title}}
ISSUE_BODY: ${{github.event.issue.body}}
outputs:
result: ${{env.content_analysis_response}}
steps:
- uses: actions/checkout@v4
#Detect if the issue_title follows the regex expression
- name: Check Issue Title
uses: actions-ecosystem/action-regex-match@v2
id: regex-match
with:
text: ${{github.event.issue.title}}
regex: '^[A-Za-z0-9 _.]*$'
flags: g
#If the regex output is '' means that the issue title contains special chars
- name: Exit Job
if: ${{ steps.regex-match.outputs.match == '' }}
run: |
echo "Bad Issue Title Format"
exit 1
#Remove the " character in the issue title and replaced with -
- name: Remove conflicting chars
uses: frabert/replace-string-action@v2.5
id: remove_quotations
with:
pattern: "\""
string: ${{env.ISSUE_TITLE}}
replace-with: '-'
flags: g
#According to the issue_title returns a specific label
- name: Check Information
id: check-info
env:
ISSUE_TITLE_PARSED: ${{steps.remove_quotations.outputs.replaced}}
run: |
echo "content_analysis_response=$(pwsh .\\.github\\scripts\\title_analyzer.ps1)" >> $GITHUB_ENV
#labels the issue based in the text returned in content_analysis_response var
- name: Label issue
if: env.content_analysis_response != 'Valid'
#Uses DYNAMOBOTTOKEN to allow interaction between repos
run: |
curl -v -u admin:${{ secrets.DYNAMOBOTTOKEN }} -d '{"labels": ["${{env.content_analysis_response}}"]}' ${{ github.event.issue.url }}/labels
#This job will scan the issue content to determing if more information is needed and act acordingly
#Will only run if the "redirectIssue" job outputted a 'Valid' result
checkIssueInformation:
if: needs.redirectIssue.outputs.result == 'Valid'
name: Check for missing information
#Wait for the previous job to finish as it needs its output
needs: redirectIssue
runs-on: ubuntu-latest
env:
#The 'analysis_response' variable is used to store the script response on step one,
#and then checked on step two to know if adding the label and comment is necessary.
#The initial 'undefined' value will be overridden when the script runs.
analysis_response: undefined
#Greetings for valid issues
greetings_comment: "Thank you for submitting the issue to us. We are sorry to
see you get stuck with your workflow. While waiting for our team member to respond,
please feel free to browse our forum at https://forum.dynamobim.com/ for more Dynamo related information."
#Comment intro
comment_intro: "Hello ${{ github.actor }}, thank you for submitting this issue!
We are super excited that you want to help us make Dynamo all that it can be."
#issue_coment holds the comment format, while the missing information will be provided by analysis_response
needs_more_info_comment: "However, we need some more information in order for the Dynamo
team to investigate any further.\\n\\n"
#comment to be used if the issue is closed due to the template being empty
close_issue_comment: "However, given that there has been no additional information added,
this issue will be closed for now. Please reopen and provide additional
information if you wish the Dynamo team to investigate further.\\n\\n"
#Info asked from the user in bot comments
info_needed: "Additional information:\\n
- Filling in of the provided Template (What did you do, What did you expect to see,
What did you see instead, What packages or external references (if any) were used)\\n
- Attaching the Stack Trace (Error message that shows up when Dynamo crashes - You can copy and paste this into the Github Issue)\\n
- Upload a .DYN file that showcases the issue in action and any additional needed files, such as Revit
(Note: If you cannot share a project, you can recreate this in a quick mock-up file)\\n
- Upload a Screenshot of the error messages you see (Hover over the offending node and showcase
said errors message in the screenshot)\\n
- Reproducible steps on how to create the error in question."
#Text to ask for specific missing information (complemented by the analysis response)
specific_info: "Can you please fill in the following to the best of your ability:"
#template file name
template: "ISSUE_TEMPLATE.md"
#label to tag the issue with if its missing information
issue_label: needs more info
#amount of sections from the template that can be missing information for the issue to still be considered complete
acceptable_missing_info: 1
steps:
#Checkout the repo
- uses: actions/checkout@v4
#Removes conflicting characters before using the issue content as a script parameter
- name: Remove conflicting chars
env:
ISSUE_BODY: ${{github.event.issue.body}}
uses: frabert/replace-string-action@v2.5
id: remove_quotations
with:
pattern: "\""
string: ${{env.ISSUE_BODY}}
replace-with: '-'
flags: g
#Checks for missing information inside the issue content
- name: Check Information
id: check-info
env:
ISSUE_BODY: ${{ steps.remove_quotations.outputs.replaced }}
run: |
echo "analysis_response=$(pwsh .\\.github\\scripts\\issue_analyzer.ps1 "${{ env.template }}" "${{ env.acceptable_missing_info }}" )" >> $GITHUB_ENV
#Closes the issue if the analysis response is "Empty"
- name: Close issue
if: env.analysis_response == 'Empty'
run: |
curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"body": "${{env.comment_intro}} ${{env.close_issue_comment}} ${{env.info_needed}}"}' ${{ github.event.issue.url }}/comments
curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -X PATCH -d '{"state": "closed"}' ${{ github.event.issue.url }}
#Adds the "needs more info" label if needed
- name: Label and comment issue
if: ((env.analysis_response != 'Valid') && (env.analysis_response != 'Empty') && (github.event.action == 'opened'))
run: |
curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"labels": ["${{env.issue_label}}"]}' ${{ github.event.issue.url }}/labels
curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"body": "${{env.comment_intro}} ${{env.needs_more_info_comment}} ${{env.specific_info}} ${{env.analysis_response}}.\n\n${{env.info_needed}}"}' ${{ github.event.issue.url }}/comments
#Removes the "needs more info" label if the issue has the missing information
- name: Unlabel updated issue
if: env.analysis_response == 'Valid' && github.event.action == 'edited'
run: |
echo urldecode ${{env.issue_label}}
curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -X DELETE ${{ github.event.issue.url }}/labels/$(echo -ne "${{env.issue_label}}" | xxd -plain | tr -d '\n' | sed 's/\(..\)/%\1/g')
#Adds greetings message
- name: Greetings
if: env.analysis_response == 'Valid' && github.event.action == 'opened'
run: |
curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"body": "${{env.greetings_comment}}"}' ${{ github.event.issue.url }}/comments

110
actions/ql/test/query-tests/Security/CWE-094/.github/workflows/cross2.yml vendored Normal file
View File

@@ -0,0 +1,110 @@
# issue_type_predicter.yml (https://github.com/Bughalla/dynamods_dynamo/blob/1c1d3e29ee9bca81b43d78f22bf953100ef67009/.github/workflows/issue_type_predicter.yml#L40-L40)
name: Issue Type Predicter
# This workflow uses https://github.com/DynamoDS/IssuesTypePredicter to predict the type of a github issue
permissions: {}
on:
issues:
types: [opened, edited]
jobs:
issue_type_Predicter:
name: Issue Type Predicter
runs-on: ubuntu-latest
env:
# The 'analysis_response' variable is used to store the response returned by issue_analyzer.ps1
# The initial 'undefined' value will be overridden when the script runs
analysis_response: undefined
# The 'parsed_issue_body' variable is used to store the parsed issue body (after removing some sections of the body like Stack Trace)
parsed_issue_body: undefined
# The 'issue_json_string' variable is used to store parsed info of the issue body as a json string
issue_json_string: undefined
# The 'is_wish_list' variable is used to store the value returned by the IssuesTypePredicter project
is_wish_list: undefined
# issue template file name
template: "ISSUE_TEMPLATE.md"
# amount of sections from the template that can be missing information for the issue to still be considered valid
acceptable_missing_info: 1
steps:
# Checkout Dynamo repo
- name: Checkout Dynamo Repo
uses: actions/checkout@v4
# Removes quotes before using the issue content as a script parameter
- name: Remove Quotes
id: remove_quotes
uses: frabert/replace-string-action@v2.5
env:
ISSUE_BODY: ${{ github.event.issue.body }}
with:
pattern: "\""
string: ${{ env.ISSUE_BODY }}
replace-with: '-'
# Analyze for missing information inside the issue content
- name: Analyze Issue Body
env:
ISSUE_BODY: ${{ steps.remove_quotes.outputs.replaced }}
run: |
echo "analysis_response=$(pwsh .\\.github\\scripts\\issue_analyzer.ps1 "${{ env.template }}" "${{ env.acceptable_missing_info }}")" >> $GITHUB_ENV
# Remove sections in the issue body like "Dynamo version", "Stack Trace" because won't be used to predict the issue type
- name: Clean Issue Body
if: env.analysis_response == 'Valid'
env:
ISSUE_BODY_PARSED: ${{ steps.remove_quotes.outputs.replaced }}
run: |
echo "parsed_issue_body="$(pwsh .\\.github\\scripts\\issue_body_cleaner.ps1 )"" >> $GITHUB_ENV
# Create json string from the issue body
- name: Create Issue JSON String
if: env.analysis_response == 'Valid'
env:
ISSUE_NUMBER: ${{ github.event.issue.number }}
ISSUE_TITLE: ${{ github.event.issue.title }}
run: |
echo "issue_json_string="$(pwsh .\\.github\\scripts\\get_issue_json_body.ps1 "$ISSUE_NUMBER")"" >> $GITHUB_ENV
# Checkout the IssuesTypePredicter repo (https://github.com/DynamoDS/IssuesTypePredicter)
- name: Checkout IssuesTypePredicter Repo
if: env.analysis_response == 'Valid'
uses: actions/checkout@v4
with:
repository: DynamoDS/IssuesTypePredicter
path: IssuesTypePredicter
# Setup dotnet
- name: Setup dotnet
uses: actions/setup-dotnet@v4
with:
dotnet-version: '3.1.0'
# Build the solution IssuesTypePredicter.sln (this contains two VS2019 ML.NET projects)
- name: Build Issues Type Predicter
if: env.analysis_response == 'Valid'
run: |
dotnet build ./IssuesTypePredicter/IssuesTypePredicter.sln --configuration Release
cp ./IssuesTypePredicter/IssuesTypePredicterML.ConsoleApp/bin/Release/netcoreapp3.1/MLModel.zip .
# Execute the IssuesTypePredicter program and pass 'issue_json_string' as a parameter
- name: Run Issues Type Predicter
if: env.analysis_response == 'Valid'
run: |
echo "is_wish_list="$(dotnet run -p ./IssuesTypePredicter/IssuesTypePredicterML.ConsoleApp/IssuesTypePredicterML.ConsoleApp.csproj -v q "${{ env.issue_json_string }}")"" >> $GITHUB_ENV
# If the is_wish_list variable contains 1, label the issue as "Wishlist"
- name: Label issue as 'Wishlist'
if: env.analysis_response == 'Valid' && contains(env.is_wish_list, 'IsWishlist:1')
env:
GH_TOKEN: ${{ secrets.DYNAMO_ISSUES_TOKEN }}
run: |
gh issue edit ${{ github.event.issue.number }} --add-label "Wishlist" --repo ${{ github.repository }}
# If the issue is missing important information (don't follow the template structure), label the issue as "NotMLEvaluated"
- name: Label issue as 'NotMLEvaluated'
if: env.analysis_response != 'Valid' || env.issue_json_string == ''
env:
GH_TOKEN: ${{ secrets.DYNAMO_ISSUES_TOKEN }}
run: |
gh issue edit ${{ github.event.issue.number }} --add-label "NotMLEvaluated" --repo ${{ github.repository }}

68
actions/ql/test/query-tests/Security/CWE-094/.github/workflows/cross3.yml vendored Normal file
View File

@@ -0,0 +1,68 @@
# cherry-picking.yaml (https://github.com/Bughalla/dynamods_dynamo/blob/1c1d3e29ee9bca81b43d78f22bf953100ef67009/.github/workflows/disabled/cherry-picking.yaml#L45-L51)
#DYN-3364
#This action is disabled for now due to it not behaving as expected
name: Cherry picking
on:
push:
branches:
- master
permissions: {}
jobs:
cherry_pick:
runs-on: ubuntu-latest
env:
#Variable for the name of the branch to cherry-pick into.
#It will remain 'invalid' if no branch is specified
destination_branch: 'invalid'
#Name of the autogenerated branch to create the PR from
auto_branch: 'auto-${{github.event.after}}'
#Username for the cherrypick
user_name: "Dynamo-Bot"
steps:
- name: checkout
uses: actions/checkout@v3
#Removes posible conflicting characters on the commit message
#This is because the content of the message will be passed to a script as a parameter and quotation marks will split the text as if it where multiple parameters.
- name: Remove conflicting chars
uses: frabert/replace-string-action@v1.2
id: remove_quotations
with:
pattern: "\""
string: ${{github.event.commits[0].message}}
replace-with: "-"
flags: g
#Checks the message looking for a cherry-pick request and extracts the target branch name
- name: Check Information
env:
ISSUE_BODY_PARSED: ${{steps.remove_quotations.outputs.replaced}}
id: check-info
run: |
echo "destination_branch=$(pwsh .\\.github\\scripts\\cherry_pick_check.ps1 "${{ env.ISSUE_BODY_PARSED }}" )" >> $GITHUB_ENV
#If a target branch was found will run the action
- if: env.destination_branch != 'invalid'
name: Create PR to branch
run: |
git config user.name "${{env.user_name}}"
git fetch --all
git checkout -b ${{env.auto_branch}} origin/${{env.destination_branch}}
git cherry-pick -x ${{github.event.after}} --strategy-option theirs
git push -u origin ${{env.auto_branch}}
hub pull-request -b "${{env.destination_branch}}" -h "${{env.auto_branch}}" -m "${{env.pr_message}}"
env:
#Token used for the pull request. Corresponds to the DynamoBot account
GITHUB_TOKEN: ${{secrets.DYNAMOBOTTOKEN}}
ISSUE_BODY_PARSED: ${{steps.remove_quotations.outputs.replaced}}
#This represents the title and description of the pr in Markdown format
#Everything before the first blank line will be the title
#Everything after will be included in the description
pr_message: |
Cherry-Pick from commit: ${{github.event.after}}
### Cherry-picking:
[Commit](https://github.com/DynamoDS/Dynamo/commit/${{github.event.after}})
### Pull request:
${{ env.ISSUE_BODY_PARSED }}

8
actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion.yml vendored Normal file
View File

@@ -0,0 +1,8 @@
on: discussion
jobs:
echo-chamber:
runs-on: ubuntu-latest
steps:
- run: echo '${{ github.event.discussion.title }}'
- run: echo '${{ github.event.discussion.body }}'

9
actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion_comment.yml vendored Normal file
View File

@@ -0,0 +1,9 @@
on: discussion_comment
jobs:
echo-chamber:
runs-on: ubuntu-latest
steps:
- run: echo '${{ github.event.discussion.title }}'
- run: echo '${{ github.event.discussion.body }}'
- run: echo '${{ github.event.comment.body }}'

94
actions/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml vendored Normal file
View File

@@ -0,0 +1,94 @@
on:
workflow_call:
inputs:
botGithubId:
description: bot id
type: string
required: true
secrets:
githubBotPAT:
description: The personal access token
required: true
permissions: {} # all none
jobs:
versions-check-result:
name: Publish Results
runs-on: ubuntu-latest
if: github.event.workflow_run.conclusion != 'skipped'
steps:
- uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
id: search-patch
with:
script: |
let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
run_id: context.payload.workflow_run.id,
...context.repo
})
let artifact = allArtifacts.data.artifacts.find(artifact => artifact.name == 'git-patch')
return artifact?.id
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
if: steps.search-patch.outputs.result
with:
ref: '${{ github.event.workflow_run.head_sha }}'
persist-credentials: false #Opt out from persisting the default Github-token authentication in order to enable use of the bot's PAT when pushing below
- name: Download git patch
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
id: fetch-patch
if: steps.search-patch.outputs.result
with:
script: |
let download = await github.rest.actions.downloadArtifact({
artifact_id: ${{ steps.search-patch.outputs.result }},
archive_format: 'zip',
...context.repo
})
let fs = require('fs')
fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/patch.zip`, Buffer.from(download.data))
await exec.exec('unzip', ['patch.zip'])
let pr_number = Number(fs.readFileSync('github_pull_request_number.txt'))
core.setOutput('pull_request_number', pr_number)
await io.rmRF('patch.zip')
await io.rmRF('github_pull_request_number.txt')
- name: Apply and push version increment
id: git-commit
if: steps.search-patch.outputs.result
run: |
set -x
# Set initial placeholder name/mail and read it from the patch later
git config --global user.email 'foo@bar'
git config --global user.name 'Foo Bar'
git am version_increments.patch
# Read the author's name+mail from the just applied patch and recommit it with both set as committer
botMail=$(git log -1 --pretty=format:'%ae')
botName=$(git log -1 --pretty=format:'%an')
git config --global user.email "${botMail}"
git config --global user.name "${botName}"
git commit --amend --no-edit
fileList=$(git diff-tree --no-commit-id --name-only HEAD -r)
echo "file-list<<EOF" >> $GITHUB_OUTPUT
echo "$fileList" >> $GITHUB_OUTPUT
echo "EOF" >> $GITHUB_OUTPUT
git push \
"https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \
'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'
env:
BOT_PA_TOKEN: ${{ secrets.githubBotPAT }}
- name: Add or update information comment
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
if: always()
with:
github-token: ${{ secrets.githubBotPAT }}
script: |
const fileList = `${{ steps.git-commit.outputs.file-list }}`

95
actions/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml vendored Normal file
View File

@@ -0,0 +1,95 @@
name: changelog
on:
workflow_call:
inputs:
taint:
description: taint
type: string
required: true
default: ""
jobs:
changelog:
runs-on: ubuntu-latest
env:
file: CHANGELOG.md
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Check ${{ env.file }}
run: |
if [[ $(git diff --name-only origin/master HEAD -- ${{ env.file }} | grep '^${{ env.file }}$' -c) -eq 0 ]]; then
echo "Expected '${{ env.file }}' to be modified"
exit 1
fi
update:
runs-on: ubuntu-latest
needs: changelog
continue-on-error: true
env:
file: CHANGELOG.md
next_version: next
link: '[#${{ github.event.number }}](https://github.com/fabricjs/fabric.js/pull/${{ github.event.number }})'
steps:
- run: echo "${{ inputs.taint }}"
- uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.ref }}
- name: Update ${{ env.file }} from PR title
id: update
uses: actions/github-script@v6
env:
log: '- ${{ github.event.pull_request.title }} ${{ env.link }}\n'
prev_log: '- ${{ github.event.changes.title.from }} ${{ env.link }}\n'
with:
result-encoding: string
script: |
const fs = require('fs');
const file = './${{ env.file }}';
let content = fs.readFileSync(file).toString();
const title = '[${{ env.next_version }}]';
const log = '${{ env.log }}';
let exists = ${{ needs.changelog.result == 'success' }};
if (!content.includes(title)) {
const insertAt = content.indexOf('\n') + 1;
content =
content.slice(0, insertAt) +
`\n## ${title}\n\n\n` +
content.slice(insertAt);
}
const insertAt = content.indexOf('\n', content.indexOf(title) + title.length + 1) + 1;
if (exists && ${{ github.event.action == 'edited' }}) {
const prevLog = '${{ env.prev_log }}';
const index = content.indexOf(prevLog, insertAt);
if (index > -1) {
content = content.slice(0, index) + content.slice(index + prevLog.length);
exists = false;
}
}
if (!exists) {
content = content.slice(0, insertAt) + log + content.slice(insertAt);
fs.writeFileSync(file, content);
return true;
}
return false;
- name: Setup node
if: fromJson(steps.update.outputs.result)
uses: actions/setup-node@v3
with:
node-version: 18.x
- name: Commit & Push
if: fromJson(steps.update.outputs.result)
run: |
npm ci
npx prettier --write ${{ env.file }}
git config user.name github-actions[bot]
git config user.email github-actions[bot]@users.noreply.github.com
git add ${{ env.file }}
git commit -m "update ${{ env.file }}"
git push

Some files were not shown because too many files have changed in this diff Show More