diff --git a/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml b/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml index 13c246f4ff3..a03c27be226 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml @@ -9,6 +9,9 @@ outputs: result: description: "result" value: ${{ steps.step.outputs.result }} + result2: + description: "result" + value: ${{ steps.step2.outputs.result2 }} runs: using: 'composite' steps: @@ -20,6 +23,11 @@ runs: FOO: ${{ inputs.taint }} shell: bash run: echo "result=$(echo $FOO)" >> $GITHUB_OUTPUT + - id: step2 + env: + FOO2: ${{ github.event.pull_request.body }} + shell: bash + run: echo "result2=$(echo $FOO2)" >> $GITHUB_OUTPUT - name: Sink id: sink shell: bash diff --git a/ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml b/ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml new file mode 100644 index 00000000000..75d7e79c1e4 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml @@ -0,0 +1,46 @@ +name: Clone repository +description: Clone repository +inputs: + title: + description: Title + required: true + forked-pr: + description: Whether the event is operating from a forked PR + required: true + fetch-depth: + description: Fetch depth for actions/checkout + default: "1" +outputs: + result: + description: "result" + value: ${{ steps.out.outputs.replaced }} + +runs: + using: composite + steps: + - shell: bash + run: echo "${{ inputs.title }}" + - uses: frabert/replace-string-action@v2.5 + id: out + with: + pattern: "\"" + string: ${{ inputs.title }} + replace-with: 'foo' + flags: g + - id: out2 + env: + FOO: ${{ inputs.title }} + shell: bash + run: echo "result=$(echo $FOO)" >> $GITHUB_OUTPUT + - name: Clone branch + if: "!fromJSON(inputs.forked-pr)" + uses: actions/checkout@v3 + with: + fetch-depth: ${{ inputs.fetch-depth }} + - name: Clone forked PR + if: fromJSON(inputs.forked-pr) + uses: actions/checkout@v3 + with: + ref: refs/pull/${{ github.event.number }}/merge + fetch-depth: ${{ inputs.fetch-depth }} + diff --git a/ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml b/ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml new file mode 100644 index 00000000000..0c4aa93c7a5 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml @@ -0,0 +1,95 @@ +name: changelog + +on: + workflow_call: + inputs: + taint: + description: taint + type: string + required: true + default: "" + +jobs: + changelog: + runs-on: ubuntu-latest + env: + file: CHANGELOG.md + steps: + - uses: actions/checkout@v3 + with: + fetch-depth: 0 + - name: Check ${{ env.file }} + run: | + if [[ $(git diff --name-only origin/master HEAD -- ${{ env.file }} | grep '^${{ env.file }}$' -c) -eq 0 ]]; then + echo "Expected '${{ env.file }}' to be modified" + exit 1 + fi + update: + runs-on: ubuntu-latest + needs: changelog + continue-on-error: true + env: + file: CHANGELOG.md + next_version: next + link: '[#${{ github.event.number }}](https://github.com/fabricjs/fabric.js/pull/${{ github.event.number }})' + steps: + - run: echo "${{ inputs.taint }}" + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.ref }} + - name: Update ${{ env.file }} from PR title + id: update + uses: actions/github-script@v6 + env: + log: '- ${{ github.event.pull_request.title }} ${{ env.link }}\n' + prev_log: '- ${{ github.event.changes.title.from }} ${{ env.link }}\n' + with: + result-encoding: string + script: | + const fs = require('fs'); + const file = './${{ env.file }}'; + let content = fs.readFileSync(file).toString(); + const title = '[${{ env.next_version }}]'; + const log = '${{ env.log }}'; + let exists = ${{ needs.changelog.result == 'success' }}; + + if (!content.includes(title)) { + const insertAt = content.indexOf('\n') + 1; + content = + content.slice(0, insertAt) + + `\n## ${title}\n\n\n` + + content.slice(insertAt); + } + + const insertAt = content.indexOf('\n', content.indexOf(title) + title.length + 1) + 1; + if (exists && ${{ github.event.action == 'edited' }}) { + const prevLog = '${{ env.prev_log }}'; + const index = content.indexOf(prevLog, insertAt); + if (index > -1) { + content = content.slice(0, index) + content.slice(index + prevLog.length); + exists = false; + } + } + + if (!exists) { + content = content.slice(0, insertAt) + log + content.slice(insertAt); + fs.writeFileSync(file, content); + return true; + } + + return false; + - name: Setup node + if: fromJson(steps.update.outputs.result) + uses: actions/setup-node@v3 + with: + node-version: 18.x + - name: Commit & Push + if: fromJson(steps.update.outputs.result) + run: | + npm ci + npx prettier --write ${{ env.file }} + git config user.name github-actions[bot] + git config user.email github-actions[bot]@users.noreply.github.com + git add ${{ env.file }} + git commit -m "update ${{ env.file }}" + git push diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-3.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-3.yml index 231cddd0b88..62ad9ba779c 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-3.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-3.yml @@ -11,4 +11,5 @@ jobs: with: taint: ${{ github.event.comment.body }} - run: echo "${{ steps.foo.outputs.result }}" + - run: echo "${{ steps.foo.outputs.result2 }}" diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-4.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-4.yml new file mode 100644 index 00000000000..e6566012732 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-4.yml @@ -0,0 +1,18 @@ + +name: Issue Workflow +on: + pull_request_target: +jobs: + test: + name: Test + runs-on: ubuntu-latest + steps: + - name: Clone branch + id: clone + uses: TestOrg/TestRepo/.github/actions/clone-repo@main + with: + title: ${{ github.event.pull_request.title }} + forked-pr: true + fetch-depth: 2 + - run: echo "${{ steps.clone.outputs.result }}" + diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-3.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-3.yml new file mode 100644 index 00000000000..39dfafcf023 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-3.yml @@ -0,0 +1,10 @@ +name: Caller + +on: + pull_request_target: + +jobs: + test: + uses: TestOrg/TestRepo/.github/workflows/reusable-workflow.yml@main + with: + taint: ${{ github.event.pull_request.title }}