mirror of
https://github.com/github/codeql.git
synced 2026-06-11 07:51:13 +02:00
Compare commits
11 Commits
copilot/co
...
andersfugm
| Author | SHA1 | Date | |
|---|---|---|---|
|
d0e652159e | ||
|
|
f3037d68ca | ||
|
|
c11d82737a | ||
|
|
557f904e22 | ||
|
|
5732a99f9d | ||
|
|
b89b6e432a | ||
|
|
9723044342 | ||
|
|
e21bc4da05 | ||
|
|
4a2f244ffa | ||
|
|
ed9e160e89 | ||
|
|
ed996ae48b |
208
.github/workflows/go-version-update.yml
vendored
208
.github/workflows/go-version-update.yml
vendored
@@ -1,208 +0,0 @@
|
||||
name: Update Go version
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
schedule:
|
||||
- cron: "0 3 * * 1" # Run weekly on Mondays at 3 AM UTC (1 = Monday)
|
||||
|
||||
permissions:
|
||||
contents: write
|
||||
pull-requests: write
|
||||
|
||||
jobs:
|
||||
update-go-version:
|
||||
name: Check and update Go version
|
||||
if: github.repository == 'github/codeql'
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v5
|
||||
with:
|
||||
fetch-depth: 0
|
||||
|
||||
- name: Set up Git
|
||||
run: |
|
||||
git config user.name "github-actions[bot]"
|
||||
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
|
||||
|
||||
- name: Fetch latest Go version
|
||||
id: fetch-version
|
||||
run: |
|
||||
LATEST_GO_VERSION=$(curl -s https://go.dev/dl/?mode=json | jq -r '.[0].version')
|
||||
|
||||
if [ -z "$LATEST_GO_VERSION" ] || [ "$LATEST_GO_VERSION" = "null" ]; then
|
||||
echo "Error: Failed to fetch latest Go version from go.dev"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "Latest Go version from go.dev: $LATEST_GO_VERSION"
|
||||
echo "version=$LATEST_GO_VERSION" >> $GITHUB_OUTPUT
|
||||
|
||||
# Extract version numbers (e.g., go1.26.0 -> 1.26.0)
|
||||
LATEST_VERSION_NUM=$(echo $LATEST_GO_VERSION | sed 's/^go//')
|
||||
echo "version_num=$LATEST_VERSION_NUM" >> $GITHUB_OUTPUT
|
||||
|
||||
# Extract major.minor version (e.g., 1.26.0 -> 1.26)
|
||||
LATEST_MAJOR_MINOR=$(echo $LATEST_VERSION_NUM | sed -E 's/^([0-9]+\.[0-9]+).*/\1/')
|
||||
echo "major_minor=$LATEST_MAJOR_MINOR" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Check current Go version
|
||||
id: current-version
|
||||
run: |
|
||||
CURRENT_VERSION=$(sed -n 's/.*go_sdk\.download(version = \"\([^\"]*\)\".*/\1/p' MODULE.bazel)
|
||||
|
||||
if [ -z "$CURRENT_VERSION" ]; then
|
||||
echo "Error: Could not extract Go version from MODULE.bazel"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "Current Go version in MODULE.bazel: $CURRENT_VERSION"
|
||||
echo "version=$CURRENT_VERSION" >> $GITHUB_OUTPUT
|
||||
|
||||
# Extract major.minor version
|
||||
CURRENT_MAJOR_MINOR=$(echo $CURRENT_VERSION | sed -E 's/^([0-9]+\.[0-9]+).*/\1/')
|
||||
echo "major_minor=$CURRENT_MAJOR_MINOR" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Compare versions
|
||||
id: compare
|
||||
run: |
|
||||
LATEST="${{ steps.fetch-version.outputs.version_num }}"
|
||||
CURRENT="${{ steps.current-version.outputs.version }}"
|
||||
|
||||
echo "Latest: $LATEST"
|
||||
echo "Current: $CURRENT"
|
||||
|
||||
if [ "$LATEST" = "$CURRENT" ]; then
|
||||
echo "Go version is up to date"
|
||||
echo "needs_update=false" >> $GITHUB_OUTPUT
|
||||
else
|
||||
echo "Go version needs update from $CURRENT to $LATEST"
|
||||
echo "needs_update=true" >> $GITHUB_OUTPUT
|
||||
fi
|
||||
|
||||
- name: Update Go version in files
|
||||
if: steps.compare.outputs.needs_update == 'true'
|
||||
run: |
|
||||
LATEST_VERSION_NUM="${{ steps.fetch-version.outputs.version_num }}"
|
||||
LATEST_MAJOR_MINOR="${{ steps.fetch-version.outputs.major_minor }}"
|
||||
CURRENT_VERSION="${{ steps.current-version.outputs.version }}"
|
||||
CURRENT_MAJOR_MINOR="${{ steps.current-version.outputs.major_minor }}"
|
||||
|
||||
echo "Updating from $CURRENT_VERSION to $LATEST_VERSION_NUM"
|
||||
|
||||
# Escape dots in current version strings for use in sed patterns
|
||||
CURRENT_VERSION_ESCAPED=$(echo "$CURRENT_VERSION" | sed 's/\./\\./g')
|
||||
CURRENT_MAJOR_MINOR_ESCAPED=$(echo "$CURRENT_MAJOR_MINOR" | sed 's/\./\\./g')
|
||||
|
||||
# Update MODULE.bazel
|
||||
sed -i "s/go_sdk\.download(version = \"$CURRENT_VERSION_ESCAPED\")/go_sdk.download(version = \"$LATEST_VERSION_NUM\")/" MODULE.bazel
|
||||
if ! grep -q "go_sdk.download(version = \"$LATEST_VERSION_NUM\")" MODULE.bazel; then
|
||||
echo "Error: Failed to update MODULE.bazel"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Update go/extractor/go.mod
|
||||
if ! sed -i "s/^go $CURRENT_MAJOR_MINOR_ESCAPED\$/go $LATEST_MAJOR_MINOR/" go/extractor/go.mod; then
|
||||
echo "Warning: Failed to update go directive in go.mod"
|
||||
fi
|
||||
if ! sed -i "s/^toolchain go$CURRENT_VERSION_ESCAPED\$/toolchain go$LATEST_VERSION_NUM/" go/extractor/go.mod; then
|
||||
echo "Warning: Failed to update toolchain in go.mod"
|
||||
fi
|
||||
|
||||
# Update go/extractor/autobuilder/build-environment.go
|
||||
if ! sed -i "s/var maxGoVersion = util\.NewSemVer(\"$CURRENT_MAJOR_MINOR_ESCAPED\")/var maxGoVersion = util.NewSemVer(\"$LATEST_MAJOR_MINOR\")/" go/extractor/autobuilder/build-environment.go; then
|
||||
echo "Warning: Failed to update build-environment.go"
|
||||
fi
|
||||
|
||||
# Update go/actions/test/action.yml
|
||||
if ! sed -i "s/default: \"~$CURRENT_VERSION_ESCAPED\"/default: \"~$LATEST_VERSION_NUM\"/" go/actions/test/action.yml; then
|
||||
echo "Warning: Failed to update action.yml"
|
||||
fi
|
||||
|
||||
# Show what changed
|
||||
git diff
|
||||
|
||||
- name: Check for changes
|
||||
id: check-changes
|
||||
if: steps.compare.outputs.needs_update == 'true'
|
||||
run: |
|
||||
if git diff --quiet; then
|
||||
echo "No changes detected"
|
||||
echo "has_changes=false" >> $GITHUB_OUTPUT
|
||||
else
|
||||
echo "Changes detected"
|
||||
echo "has_changes=true" >> $GITHUB_OUTPUT
|
||||
fi
|
||||
|
||||
- name: Check for existing PR
|
||||
if: steps.check-changes.outputs.has_changes == 'true'
|
||||
id: check-pr
|
||||
env:
|
||||
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
run: |
|
||||
BRANCH_NAME="workflow/go-version-update"
|
||||
PR_NUMBER=$(gh pr list --head "$BRANCH_NAME" --state open --json number --jq '.[0].number')
|
||||
|
||||
if [ -n "$PR_NUMBER" ]; then
|
||||
echo "Existing PR found: #$PR_NUMBER"
|
||||
echo "pr_exists=true" >> $GITHUB_OUTPUT
|
||||
echo "pr_number=$PR_NUMBER" >> $GITHUB_OUTPUT
|
||||
else
|
||||
echo "No existing PR found"
|
||||
echo "pr_exists=false" >> $GITHUB_OUTPUT
|
||||
fi
|
||||
|
||||
- name: Commit and push changes
|
||||
if: steps.check-changes.outputs.has_changes == 'true'
|
||||
run: |
|
||||
BRANCH_NAME="workflow/go-version-update"
|
||||
LATEST_VERSION_NUM="${{ steps.fetch-version.outputs.version_num }}"
|
||||
LATEST_MAJOR_MINOR="${{ steps.fetch-version.outputs.major_minor }}"
|
||||
|
||||
# Create or switch to branch
|
||||
git checkout -B "$BRANCH_NAME"
|
||||
|
||||
# Stage and commit changes
|
||||
git add MODULE.bazel go/extractor/go.mod go/extractor/autobuilder/build-environment.go go/actions/test/action.yml
|
||||
git commit -m "Go: Update to $LATEST_VERSION_NUM"
|
||||
|
||||
# Push changes
|
||||
git push --force-with-lease origin "$BRANCH_NAME"
|
||||
|
||||
- name: Create or update PR
|
||||
if: steps.check-changes.outputs.has_changes == 'true'
|
||||
env:
|
||||
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
run: |
|
||||
BRANCH_NAME="workflow/go-version-update"
|
||||
LATEST_VERSION_NUM="${{ steps.fetch-version.outputs.version_num }}"
|
||||
CURRENT_VERSION="${{ steps.current-version.outputs.version }}"
|
||||
|
||||
PR_TITLE="Go: Update to $LATEST_VERSION_NUM"
|
||||
|
||||
PR_BODY=$(cat <<EOF
|
||||
This PR updates Go from $CURRENT_VERSION to $LATEST_VERSION_NUM.
|
||||
|
||||
Updated files:
|
||||
- \`MODULE.bazel\` - go_sdk.download version
|
||||
- \`go/extractor/go.mod\` - go directive and toolchain
|
||||
- \`go/extractor/autobuilder/build-environment.go\` - maxGoVersion (only if MAJOR.MINOR changes)
|
||||
- \`go/actions/test/action.yml\` - default go-test-version
|
||||
|
||||
This PR was automatically created by the [Go version update workflow](https://github.com/${{ github.repository }}/blob/main/.github/workflows/go-version-update.yml).
|
||||
EOF
|
||||
)
|
||||
|
||||
if [ "${{ steps.check-pr.outputs.pr_exists }}" = "true" ]; then
|
||||
echo "Updating existing PR #${{ steps.check-pr.outputs.pr_number }}"
|
||||
gh pr edit "${{ steps.check-pr.outputs.pr_number }}" --title "$PR_TITLE" --body "$PR_BODY"
|
||||
else
|
||||
echo "Creating new PR"
|
||||
gh pr create \
|
||||
--title "$PR_TITLE" \
|
||||
--body "$PR_BODY" \
|
||||
--base main \
|
||||
--head "$BRANCH_NAME" \
|
||||
--label "Go"
|
||||
fi
|
||||
@@ -248,6 +248,7 @@ use_repo(
|
||||
"kotlin-compiler-2.2.20-Beta2",
|
||||
"kotlin-compiler-2.3.0",
|
||||
"kotlin-compiler-2.3.20",
|
||||
"kotlin-compiler-2.4.0",
|
||||
"kotlin-compiler-embeddable-1.8.0",
|
||||
"kotlin-compiler-embeddable-1.9.0-Beta",
|
||||
"kotlin-compiler-embeddable-1.9.20-Beta",
|
||||
@@ -259,6 +260,7 @@ use_repo(
|
||||
"kotlin-compiler-embeddable-2.2.20-Beta2",
|
||||
"kotlin-compiler-embeddable-2.3.0",
|
||||
"kotlin-compiler-embeddable-2.3.20",
|
||||
"kotlin-compiler-embeddable-2.4.0",
|
||||
"kotlin-stdlib-1.8.0",
|
||||
"kotlin-stdlib-1.9.0-Beta",
|
||||
"kotlin-stdlib-1.9.20-Beta",
|
||||
@@ -270,10 +272,11 @@ use_repo(
|
||||
"kotlin-stdlib-2.2.20-Beta2",
|
||||
"kotlin-stdlib-2.3.0",
|
||||
"kotlin-stdlib-2.3.20",
|
||||
"kotlin-stdlib-2.4.0",
|
||||
)
|
||||
|
||||
go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
|
||||
go_sdk.download(version = "1.26.4")
|
||||
go_sdk.download(version = "1.26.0")
|
||||
|
||||
go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
|
||||
go_deps.from_file(go_mod = "//go/extractor:go.mod")
|
||||
|
||||
@@ -3,14 +3,14 @@ name: Reusable workflow example
|
||||
on:
|
||||
workflow_call:
|
||||
inputs:
|
||||
config-path: # $ Source[actions/reusable-workflow-sinks] Source[actions/reusable-workflow-summaries]
|
||||
config-path:
|
||||
required: true
|
||||
type: string
|
||||
outputs:
|
||||
workflow-output1:
|
||||
value: ${{ jobs.job1.outputs.job-output1 }} # $ Alert[actions/reusable-workflow-summaries]
|
||||
value: ${{ jobs.job1.outputs.job-output1 }}
|
||||
workflow-output2:
|
||||
value: ${{ jobs.job1.outputs.job-output2 }} # $ Alert[actions/reusable-workflow-sources]
|
||||
value: ${{ jobs.job1.outputs.job-output2 }}
|
||||
secrets:
|
||||
token:
|
||||
required: true
|
||||
@@ -26,9 +26,9 @@ jobs:
|
||||
env:
|
||||
CONFIG_PATH: ${{ inputs.config-path }}
|
||||
run: |
|
||||
echo ${{ inputs.config-path }} # $ Alert[actions/reusable-workflow-sinks]
|
||||
echo ${{ inputs.config-path }}
|
||||
echo "::set-output name=step-output::$CONFIG_PATH"
|
||||
- name: Get changed files
|
||||
id: step2
|
||||
uses: tj-actions/changed-files@v40 # $ Source[actions/reusable-workflow-sources]
|
||||
uses: tj-actions/changed-files@v40
|
||||
|
||||
|
||||
@@ -1,6 +1,3 @@
|
||||
#select
|
||||
| action1/action.yml:32:18:32:51 | steps.replace.outputs.value | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:32:18:32:51 | steps.replace.outputs.value | Sink |
|
||||
| action1/action.yml:35:25:35:50 | inputs.who-to-greet | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:25:35:50 | inputs.who-to-greet | Sink |
|
||||
edges
|
||||
| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:28:18:28:43 | inputs.who-to-greet | provenance | |
|
||||
| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:25:35:50 | inputs.who-to-greet | provenance | |
|
||||
@@ -13,3 +10,6 @@ nodes
|
||||
| action1/action.yml:32:18:32:51 | steps.replace.outputs.value | semmle.label | steps.replace.outputs.value |
|
||||
| action1/action.yml:35:25:35:50 | inputs.who-to-greet | semmle.label | inputs.who-to-greet |
|
||||
subpaths
|
||||
#select
|
||||
| action1/action.yml:32:18:32:51 | steps.replace.outputs.value | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:32:18:32:51 | steps.replace.outputs.value | Sink |
|
||||
| action1/action.yml:35:25:35:50 | inputs.who-to-greet | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:25:35:50 | inputs.who-to-greet | Sink |
|
||||
|
||||
@@ -1,2 +1 @@
|
||||
query: Models/CompositeActionsSinks.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
Models/CompositeActionsSinks.ql
|
||||
|
||||
@@ -1,9 +1,3 @@
|
||||
#select
|
||||
| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Source |
|
||||
| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Source |
|
||||
| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source |
|
||||
| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source |
|
||||
| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source |
|
||||
edges
|
||||
| action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | provenance | |
|
||||
| action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | provenance | |
|
||||
@@ -19,3 +13,9 @@ nodes
|
||||
| action1/action.yml:44:7:48:70 | Run Step: source [tainted] | semmle.label | Run Step: source [tainted] |
|
||||
| action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files |
|
||||
subpaths
|
||||
#select
|
||||
| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Source |
|
||||
| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Source |
|
||||
| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source |
|
||||
| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source |
|
||||
| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source |
|
||||
|
||||
@@ -1,2 +1,2 @@
|
||||
query: Models/CompositeActionsSources.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
Models/CompositeActionsSources.ql
|
||||
|
||||
|
||||
@@ -1,5 +1,3 @@
|
||||
#select
|
||||
| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Summary |
|
||||
edges
|
||||
| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:41:30:41:55 | inputs.who-to-greet | provenance | |
|
||||
| action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | provenance | |
|
||||
@@ -10,3 +8,5 @@ nodes
|
||||
| action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | semmle.label | Run Step: reflector [reflected] |
|
||||
| action1/action.yml:41:30:41:55 | inputs.who-to-greet | semmle.label | inputs.who-to-greet |
|
||||
subpaths
|
||||
#select
|
||||
| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Summary |
|
||||
|
||||
@@ -1,2 +1,2 @@
|
||||
query: Models/CompositeActionsSummaries.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
Models/CompositeActionsSummaries.ql
|
||||
|
||||
|
||||
@@ -1,5 +1,3 @@
|
||||
#select
|
||||
| .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | Sink |
|
||||
edges
|
||||
| .github/workflows/calling_workflow.yml:12:5:15:2 | Job: call2 [workflow-output1] | .github/workflows/calling_workflow.yml:35:20:35:62 | needs.call2.outputs.workflow-output1 | provenance | |
|
||||
| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | provenance | |
|
||||
@@ -22,3 +20,5 @@ nodes
|
||||
| .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | semmle.label | inputs.config-path |
|
||||
| .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | semmle.label | inputs.config-path |
|
||||
subpaths
|
||||
#select
|
||||
| .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | Sink |
|
||||
|
||||
@@ -1,2 +1,2 @@
|
||||
query: Models/ReusableWorkflowsSinks.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
Models/ReusableWorkflowsSinks.ql
|
||||
|
||||
|
||||
@@ -1,5 +1,3 @@
|
||||
#select
|
||||
| .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | Source |
|
||||
edges
|
||||
| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | provenance | |
|
||||
| .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | provenance | |
|
||||
@@ -10,3 +8,5 @@ nodes
|
||||
| .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | semmle.label | steps.step2.outputs.all_changed_files |
|
||||
| .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | semmle.label | Uses Step: step2 |
|
||||
subpaths
|
||||
#select
|
||||
| .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | Source |
|
||||
|
||||
@@ -1,2 +1,2 @@
|
||||
query: Models/ReusableWorkflowsSources.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
Models/ReusableWorkflowsSources.ql
|
||||
|
||||
|
||||
@@ -1,5 +1,3 @@
|
||||
#select
|
||||
| .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | Summary |
|
||||
edges
|
||||
| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | provenance | |
|
||||
| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | provenance | |
|
||||
@@ -14,3 +12,5 @@ nodes
|
||||
| .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | semmle.label | Run Step: step1 [step-output] |
|
||||
| .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | semmle.label | inputs.config-path |
|
||||
subpaths
|
||||
#select
|
||||
| .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | Summary |
|
||||
|
||||
@@ -1,2 +1,2 @@
|
||||
query: Models/ReusableWorkflowsSummaries.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
Models/ReusableWorkflowsSummaries.ql
|
||||
|
||||
|
||||
@@ -1,17 +1,17 @@
|
||||
name: 'Hello World'
|
||||
description: 'Greet someone'
|
||||
inputs:
|
||||
who-to-greet: # id of input # $ Source[actions/composite-action-sinks] Source[actions/composite-action-summaries]
|
||||
who-to-greet: # id of input
|
||||
description: 'Who to greet'
|
||||
required: true
|
||||
default: 'World'
|
||||
outputs:
|
||||
reflected:
|
||||
description: "Reflected input"
|
||||
value: ${{ steps.reflector.outputs.reflected }} # $ Alert[actions/composite-action-sources] Alert[actions/composite-action-summaries]
|
||||
value: ${{ steps.reflector.outputs.reflected }}
|
||||
tainted:
|
||||
description: "Reflected input"
|
||||
value: ${{ steps.source.outputs.tainted}} # $ Alert[actions/composite-action-sources]
|
||||
value: ${{ steps.source.outputs.tainted}}
|
||||
|
||||
runs:
|
||||
using: "composite"
|
||||
@@ -29,23 +29,23 @@ runs:
|
||||
find: 'foo'
|
||||
replace: ''
|
||||
- id: sink
|
||||
run: echo ${{ steps.replace.outputs.value }} # $ Alert[actions/composite-action-sinks]
|
||||
run: echo ${{ steps.replace.outputs.value }}
|
||||
shell: bash
|
||||
- name: Vulnerable Set Greeting
|
||||
run: echo "Hello ${{ inputs.who-to-greet }}." # $ Alert[actions/composite-action-sinks]
|
||||
run: echo "Hello ${{ inputs.who-to-greet }}."
|
||||
shell: bash
|
||||
- id: reflector
|
||||
run: echo "reflected=$(echo $INPUT_WHO_TO_GREET)" >> $GITHUB_OUTPUT
|
||||
shell: bash
|
||||
env:
|
||||
INPUT_WHO_TO_GREET: ${{ inputs.who-to-greet }} # $ Source[actions/composite-action-sources]
|
||||
INPUT_WHO_TO_GREET: ${{ inputs.who-to-greet }}
|
||||
- id: changed-files
|
||||
uses: tj-actions/changed-files@v40
|
||||
- id: source # $ Source[actions/composite-action-sources]
|
||||
- id: source
|
||||
run: echo "tainted=$(echo $TAINTED)" >> $GITHUB_OUTPUT
|
||||
shell: bash
|
||||
env:
|
||||
TAINTED: ${{ steps.changed-files.outputs.all_changed_files }} # $ Source[actions/composite-action-sources]
|
||||
TAINTED: ${{ steps.changed-files.outputs.all_changed_files }}
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -6,11 +6,11 @@ jobs:
|
||||
steps:
|
||||
- id: clob1
|
||||
env:
|
||||
BODY: ${{ github.event.comment.body }} # $ Source
|
||||
BODY: ${{ github.event.comment.body }}
|
||||
run: |
|
||||
# VULNERABLE
|
||||
echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT
|
||||
echo "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT # $ Alert
|
||||
echo "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT
|
||||
- id: clob2
|
||||
run: |
|
||||
echo ${{ steps.clob1.outputs.OUTPUT_1 }}
|
||||
@@ -32,8 +32,8 @@ jobs:
|
||||
with:
|
||||
run_id: ${{ github.event.workflow_run.id }}
|
||||
name: pr_number
|
||||
- id: clob1 # $ Source
|
||||
- id: clob1
|
||||
run: |
|
||||
# VULNERABLE
|
||||
echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT
|
||||
echo "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT # $ Alert
|
||||
echo "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT
|
||||
|
||||
@@ -6,18 +6,18 @@ jobs:
|
||||
steps:
|
||||
- id: clob1
|
||||
env:
|
||||
BODY: ${{ github.event.comment.body }} # $ Source
|
||||
BODY: ${{ github.event.comment.body }}
|
||||
run: |
|
||||
# VULNERABLE
|
||||
echo $BODY
|
||||
echo "::set-output name=OUTPUT::SAFE" # $ Alert
|
||||
echo "::set-output name=OUTPUT::SAFE"
|
||||
- id: clob2
|
||||
env:
|
||||
BODY: ${{ github.event.comment.body }} # $ Source
|
||||
BODY: ${{ github.event.comment.body }}
|
||||
run: |
|
||||
# VULNERABLE
|
||||
echo "::set-output name=OUTPUT::SAFE"
|
||||
echo $BODY # $ Alert
|
||||
echo $BODY
|
||||
- id: clob3
|
||||
run: |
|
||||
echo ${{ steps.clob1.outputs.OUTPUT }}
|
||||
@@ -38,25 +38,25 @@ jobs:
|
||||
with:
|
||||
run_id: ${{ github.event.workflow_run.id }}
|
||||
name: pr_number
|
||||
- id: clob1 # $ Source
|
||||
- id: clob1
|
||||
run: |
|
||||
# VULNERABLE
|
||||
PR="$(<pr-number)"
|
||||
echo "$PR"
|
||||
echo "::set-output name=OUTPUT::SAFE" # $ Alert
|
||||
echo "::set-output name=OUTPUT::SAFE"
|
||||
- id: clob2
|
||||
run: |
|
||||
# VULNERABLE
|
||||
cat pr-number
|
||||
echo "::set-output name=OUTPUT::SAFE" # $ Alert
|
||||
echo "::set-output name=OUTPUT::SAFE"
|
||||
- id: clob3
|
||||
run: |
|
||||
# VULNERABLE
|
||||
echo "::set-output name=OUTPUT::SAFE"
|
||||
ls *.txt # $ Alert
|
||||
ls *.txt
|
||||
- id: clob4
|
||||
run: |
|
||||
# VULNERABLE
|
||||
CURRENT_VERSION=$(cat gradle.properties | sed -n '/^version=/ { s/^version=//;p }')
|
||||
echo "$CURRENT_VERSION"
|
||||
echo "::set-output name=OUTPUT::SAFE" # $ Alert
|
||||
echo "::set-output name=OUTPUT::SAFE"
|
||||
|
||||
@@ -1,12 +1,3 @@
|
||||
#select
|
||||
| .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n |
|
||||
| .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n |
|
||||
| .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n |
|
||||
| .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | .github/workflows/output2.yml:16:18:16:49 | github.event.comment.body | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n |
|
||||
| .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n |
|
||||
| .github/workflows/output2.yml:48:14:51:48 | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:48:14:51:48 | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:48:14:51:48 | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n |
|
||||
| .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n |
|
||||
| .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n |
|
||||
edges
|
||||
| .github/workflows/output1.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | provenance | Config |
|
||||
| .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n | provenance | Config |
|
||||
@@ -31,3 +22,12 @@ nodes
|
||||
| .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | semmle.label | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n |
|
||||
| .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | semmle.label | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n |
|
||||
subpaths
|
||||
#select
|
||||
| .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n |
|
||||
| .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n |
|
||||
| .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n |
|
||||
| .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | .github/workflows/output2.yml:16:18:16:49 | github.event.comment.body | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n |
|
||||
| .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n |
|
||||
| .github/workflows/output2.yml:48:14:51:48 | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:48:14:51:48 | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:48:14:51:48 | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n |
|
||||
| .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n |
|
||||
| .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n |
|
||||
|
||||
@@ -1,2 +1 @@
|
||||
query: experimental/Security/CWE-074/OutputClobberingHigh.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
experimental/Security/CWE-074/OutputClobberingHigh.ql
|
||||
|
||||
@@ -12,9 +12,9 @@ jobs:
|
||||
steps:
|
||||
- run: |
|
||||
gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name"
|
||||
- name: Unzip # $ Source[actions/envvar-injection/critical]
|
||||
- name: Unzip
|
||||
run: |
|
||||
unzip artifact_name.zip -d foo
|
||||
- name: Env Var Injection
|
||||
run: |
|
||||
echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
|
||||
echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV
|
||||
|
||||
@@ -12,14 +12,14 @@ jobs:
|
||||
steps:
|
||||
- run: |
|
||||
gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name"
|
||||
- name: Unzip # $ Source[actions/envvar-injection/critical]
|
||||
- name: Unzip
|
||||
run: |
|
||||
unzip artifact_name.zip -d foo
|
||||
- name: Env Var Injection
|
||||
run: |
|
||||
echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"
|
||||
cat foo >> "$GITHUB_ENV"
|
||||
echo "EOF" >> "${GITHUB_ENV}" # $ Alert[actions/envvar-injection/critical]
|
||||
echo "EOF" >> "${GITHUB_ENV}"
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -12,7 +12,7 @@ jobs:
|
||||
steps:
|
||||
- run: |
|
||||
gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name"
|
||||
- name: Unzip # $ Source[actions/envvar-injection/critical]
|
||||
- name: Unzip
|
||||
run: |
|
||||
unzip artifact_name.zip -d foo
|
||||
- run: |
|
||||
@@ -20,7 +20,7 @@ jobs:
|
||||
echo 'JSON_RESPONSE<<EOF'
|
||||
cat foo
|
||||
echo EOF
|
||||
} >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical]
|
||||
} >> "$GITHUB_ENV"
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -10,23 +10,23 @@ jobs:
|
||||
|
||||
- run: echo "${{ github.event.pull_request.title }}" >> $GITHUB_PATH
|
||||
- env:
|
||||
PATHINJ: ${{ github.event.pull_request.title }} # $ Source[actions/envpath-injection/critical]
|
||||
run: echo $(echo "$PATHINJ") >> $GITHUB_PATH # $ Alert[actions/envpath-injection/critical]
|
||||
PATHINJ: ${{ github.event.pull_request.title }}
|
||||
run: echo $(echo "$PATHINJ") >> $GITHUB_PATH
|
||||
- env:
|
||||
PATHINJ: ${{ github.event.pull_request.title }} # $ Source[actions/envpath-injection/critical]
|
||||
run: echo $PATHINJ >> $GITHUB_PATH # $ Alert[actions/envpath-injection/critical]
|
||||
PATHINJ: ${{ github.event.pull_request.title }}
|
||||
run: echo $PATHINJ >> $GITHUB_PATH
|
||||
- env:
|
||||
PATHINJ: ${{ github.event.pull_request.title }} # $ Source[actions/envpath-injection/critical]
|
||||
run: echo ${PATHINJ} >> $GITHUB_PATH # $ Alert[actions/envpath-injection/critical]
|
||||
PATHINJ: ${{ github.event.pull_request.title }}
|
||||
run: echo ${PATHINJ} >> $GITHUB_PATH
|
||||
- uses: dawidd6/action-download-artifact@v2
|
||||
with:
|
||||
name: artifact_name
|
||||
path: foo
|
||||
- run: echo "$(cat foo/bar)" >> $GITHUB_PATH # $ Alert[actions/envpath-injection/critical] Source[actions/envpath-injection/critical]
|
||||
- run: echo "$(cat foo/bar)" >> $GITHUB_PATH
|
||||
- env:
|
||||
ACTIONS_ALLOW_UNSECURE_COMMANDS: true
|
||||
PATHINJ: ${{ github.event.pull_request.title }} # $ Source[actions/envpath-injection/critical]
|
||||
run: echo "::add-path::$PATHINJ" # $ Alert[actions/envpath-injection/critical]
|
||||
PATHINJ: ${{ github.event.pull_request.title }}
|
||||
run: echo "::add-path::$PATHINJ"
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -23,6 +23,6 @@ jobs:
|
||||
ref: ${{steps.decide-ref.outputs.ref}}
|
||||
path: "foo"
|
||||
|
||||
- name: Read Java Config # $ Source[actions/envvar-injection/critical]
|
||||
run: cat foo/.github/java-config.env >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
|
||||
- name: Read Java Config
|
||||
run: cat foo/.github/java-config.env >> $GITHUB_ENV
|
||||
|
||||
|
||||
@@ -18,11 +18,11 @@ jobs:
|
||||
run_id: ${{ github.event.workflow_run.id }}
|
||||
name: runtime-versions.md
|
||||
|
||||
- name: "Put runtime versions on the environment" # $ Source[actions/envvar-injection/critical]
|
||||
- name: "Put runtime versions on the environment"
|
||||
id: runtime_versions
|
||||
run: |
|
||||
{
|
||||
echo 'RUNTIME_VERSIONS<<EOF'
|
||||
cat runtime-versions.md
|
||||
echo EOF
|
||||
} >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical]
|
||||
} >> "$GITHUB_ENV"
|
||||
|
||||
@@ -43,14 +43,14 @@ jobs:
|
||||
run_id: ${{ github.event.workflow_run.id }}
|
||||
name: runtime-versions.md
|
||||
|
||||
- name: "Put runtime versions on the environment" # $ Source[actions/envvar-injection/critical]
|
||||
- name: "Put runtime versions on the environment"
|
||||
id: runtime_versions
|
||||
run: |
|
||||
{
|
||||
echo 'RUNTIME_VERSIONS<<EOF'
|
||||
cat runtime-versions.md
|
||||
echo EOF
|
||||
} >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical]
|
||||
} >> "$GITHUB_ENV"
|
||||
|
||||
- name: "Download pre-release report"
|
||||
uses: dawidd6/action-download-artifact@v2
|
||||
@@ -58,14 +58,14 @@ jobs:
|
||||
run_id: ${{ github.event.workflow_run.id }}
|
||||
name: prerelease-report.md
|
||||
|
||||
- name: "Put pre-release report on the environment" # $ Source[actions/envvar-injection/critical]
|
||||
- name: "Put pre-release report on the environment"
|
||||
id: prerelease_report
|
||||
run: |
|
||||
{
|
||||
echo 'PRERELEASE_REPORT<<EOF'
|
||||
cat prerelease-report.md
|
||||
echo EOF
|
||||
} >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical]
|
||||
} >> "$GITHUB_ENV"
|
||||
|
||||
- name: "Comment on PR with Wrangler link"
|
||||
uses: marocchino/sticky-pull-request-comment@v2
|
||||
|
||||
@@ -17,7 +17,7 @@ jobs:
|
||||
- name: Get commit message
|
||||
run: |
|
||||
COMMIT_MESSAGE=$(git log --format=%s)
|
||||
echo "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
|
||||
echo "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV
|
||||
- name: Get commit message
|
||||
run: |
|
||||
echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
|
||||
echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV
|
||||
|
||||
@@ -12,7 +12,7 @@ jobs:
|
||||
ref: ${{ github.event.pull_request.head.sha }}
|
||||
- id: changed-files
|
||||
run: |
|
||||
echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical]
|
||||
echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"
|
||||
- run: echo "${{ env.CHANGED-FILES }}"
|
||||
test2:
|
||||
runs-on: ubuntu-latest
|
||||
@@ -23,7 +23,7 @@ jobs:
|
||||
- id: changed-files
|
||||
run: |
|
||||
FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)
|
||||
echo "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical]
|
||||
echo "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"
|
||||
- run: echo "${{ env.CHANGED-FILES }}"
|
||||
|
||||
|
||||
|
||||
@@ -9,7 +9,7 @@ jobs:
|
||||
steps:
|
||||
- id: title
|
||||
run: |
|
||||
echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical]
|
||||
echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"
|
||||
- run: echo "$TITLE"
|
||||
test2:
|
||||
runs-on: ubuntu-latest
|
||||
@@ -17,7 +17,7 @@ jobs:
|
||||
- id: title
|
||||
run: |
|
||||
PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})
|
||||
echo "BODY=$PR_BODY" >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical]
|
||||
echo "BODY=$PR_BODY" >> "$GITHUB_ENV"
|
||||
- run: echo "$TITLE"
|
||||
test3:
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
@@ -12,12 +12,12 @@ jobs:
|
||||
with:
|
||||
workflow: ${{ github.event.workflow_run.workflow_id }}
|
||||
name: pr_metadata
|
||||
- run: | # $ Source[actions/envvar-injection/critical]
|
||||
# VULNERABLE
|
||||
echo "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
|
||||
- run: |
|
||||
# VULNERABLE
|
||||
echo "PR_NUMBER=$(cat pr_number.txt | tr ',' '\n')" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
|
||||
echo "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV
|
||||
- run: |
|
||||
# VULNERABLE
|
||||
echo "PR_NUMBER=$(cat pr_number.txt | tr ',' '\n')" >> $GITHUB_ENV
|
||||
- run: |
|
||||
# NOT VULNERABLE
|
||||
echo "PR_NUMBER=$(cat pr_number.txt | tr '\n' ' ')" >> $GITHUB_ENV
|
||||
|
||||
@@ -38,6 +38,6 @@ jobs:
|
||||
});
|
||||
var fs = require('fs');
|
||||
fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(downloadPr.data));
|
||||
- run: | # $ Source[actions/envvar-injection/critical]
|
||||
- run: |
|
||||
unzip pr.zip
|
||||
echo "pr_number=$(cat NR)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
|
||||
echo "pr_number=$(cat NR)" >> $GITHUB_ENV
|
||||
|
||||
@@ -17,7 +17,7 @@ jobs:
|
||||
workflow_conclusion: ''
|
||||
name: pr_metadata
|
||||
if_no_artifact_found: 'ignore'
|
||||
- run: | # $ Source[actions/envvar-injection/critical]
|
||||
- run: |
|
||||
echo "PR_NUMBER=$(cat pr_number.txt | jq -r .)" >> $GITHUB_ENV
|
||||
echo "PR_HEAD_REPO=$(cat pr_head_repo.txt | jq -Rr .)" >> $GITHUB_ENV
|
||||
echo "PR_HEAD_REF=$(cat pr_head_ref.txt | jq -Rr .)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
|
||||
echo "PR_HEAD_REF=$(cat pr_head_ref.txt | jq -Rr .)" >> $GITHUB_ENV
|
||||
|
||||
@@ -8,43 +8,43 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- env:
|
||||
TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
|
||||
TITLE: ${{ github.event.pull_request.title }}
|
||||
run: |
|
||||
echo "PR_TITLE=$TITLE" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
|
||||
echo "PR_TITLE=$TITLE" >> $GITHUB_ENV
|
||||
- env:
|
||||
TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
|
||||
TITLE: ${{ github.event.pull_request.title }}
|
||||
run: |
|
||||
echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
|
||||
echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV
|
||||
- env:
|
||||
TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
|
||||
TITLE: ${{ github.event.pull_request.title }}
|
||||
run: |
|
||||
echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
|
||||
echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV
|
||||
- env:
|
||||
TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
|
||||
TITLE: ${{ github.event.pull_request.title }}
|
||||
run: |
|
||||
echo "PR_TITLE<<EOF" >> $GITHUB_ENV
|
||||
echo "$TITLE" >> $GITHUB_ENV
|
||||
echo "EOF" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
|
||||
echo "EOF" >> $GITHUB_ENV
|
||||
- env:
|
||||
TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
|
||||
TITLE: ${{ github.event.pull_request.title }}
|
||||
run: |
|
||||
echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"
|
||||
echo "$TITLE" >> "${GITHUB_ENV}"
|
||||
echo "EOF" >> "${GITHUB_ENV}" # $ Alert[actions/envvar-injection/critical]
|
||||
echo "EOF" >> "${GITHUB_ENV}"
|
||||
- env:
|
||||
TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
|
||||
TITLE: ${{ github.event.pull_request.title }}
|
||||
run: |
|
||||
{
|
||||
echo 'JSON_RESPONSE<<EOF'
|
||||
echo "$TITLE"
|
||||
echo EOF
|
||||
} >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical]
|
||||
} >> "$GITHUB_ENV"
|
||||
- env:
|
||||
TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
|
||||
TITLE: ${{ github.event.pull_request.title }}
|
||||
run: |
|
||||
cat <<-EOF >> "$GITHUB_ENV"
|
||||
FOO=$TITLE
|
||||
EOF # $ Alert[actions/envvar-injection/critical]
|
||||
EOF
|
||||
- env:
|
||||
TITLE: ${{ github.event.pull_request.head.ref }}
|
||||
run: |
|
||||
@@ -52,12 +52,12 @@ jobs:
|
||||
- run: echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV
|
||||
env:
|
||||
TARGET_BRANCH: ${{ github.head_ref }}
|
||||
- run: echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
|
||||
- run: echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV
|
||||
env:
|
||||
TARGET_BRANCH: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
|
||||
- run: echo ISSUE_KEY=$(echo "${TITLE}" | grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
|
||||
TARGET_BRANCH: ${{ github.event.pull_request.title }}
|
||||
- run: echo ISSUE_KEY=$(echo "${TITLE}" | grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV
|
||||
env:
|
||||
TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
|
||||
TITLE: ${{ github.event.pull_request.title }}
|
||||
- env:
|
||||
TITLE: |-
|
||||
${{ github.event.pull_request.title }}
|
||||
|
||||
@@ -27,10 +27,10 @@ jobs:
|
||||
});
|
||||
let fs = require('fs');
|
||||
fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/oc-code-coverage.zip`, Buffer.from(download.data));
|
||||
- name: 'Unzip code coverage' # $ Source[actions/envvar-injection/critical]
|
||||
- name: 'Unzip code coverage'
|
||||
run: unzip oc-code-coverage.zip -d coverage
|
||||
- name: set env vars
|
||||
run: |
|
||||
echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV
|
||||
echo "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV
|
||||
echo "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
|
||||
echo "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV
|
||||
|
||||
@@ -8,20 +8,20 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- env:
|
||||
TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
|
||||
TITLE: ${{ github.event.pull_request.title }}
|
||||
run: |
|
||||
FOO=${TITLE##*/}
|
||||
echo PR_TITLE=${FOO} >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
|
||||
echo PR_TITLE=${FOO} >> $GITHUB_ENV
|
||||
- env:
|
||||
TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
|
||||
TITLE: ${{ github.event.pull_request.title }}
|
||||
run: |
|
||||
FOO=$TITLE+
|
||||
echo PR_TITLE=$FOO >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
|
||||
echo PR_TITLE=$FOO >> $GITHUB_ENV
|
||||
- env:
|
||||
TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
|
||||
TITLE: ${{ github.event.pull_request.title }}
|
||||
run: |
|
||||
venv="$(echo $TITLE)')"
|
||||
echo "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
|
||||
echo "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -13,7 +13,7 @@ jobs:
|
||||
run_id: ${{github.event.workflow_run.id}}
|
||||
name: artifact
|
||||
|
||||
- name: Load .env file # $ Source[actions/envvar-injection/critical]
|
||||
- name: Load .env file
|
||||
uses: aarcangeli/load-dotenv@v1.0.0
|
||||
with:
|
||||
path: 'backend/new'
|
||||
@@ -21,5 +21,5 @@ jobs:
|
||||
.env
|
||||
.env.test
|
||||
quiet: false
|
||||
if-file-not-found: error # $ Alert[actions/envvar-injection/critical]
|
||||
if-file-not-found: error
|
||||
|
||||
|
||||
@@ -27,13 +27,13 @@ jobs:
|
||||
run_id: ${{ github.event.workflow_run.id }}
|
||||
path: ./artifacts
|
||||
|
||||
- name: assignment # $ Source[actions/envvar-injection/critical]
|
||||
- name: assignment
|
||||
run: |
|
||||
foo=$(cat ./artifacts/parent-artifacts/event.txt)
|
||||
echo "foo=$foo" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
|
||||
echo "foo=$foo" >> $GITHUB_ENV
|
||||
- name: direct 1
|
||||
run: |
|
||||
echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
|
||||
echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV
|
||||
- name: direct 2
|
||||
run: |
|
||||
echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
|
||||
echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV
|
||||
|
||||
@@ -24,7 +24,7 @@ jobs:
|
||||
name: event_file
|
||||
path: artifacts/event_file
|
||||
|
||||
- name: Try to read PR number # $ Source[actions/envvar-injection/critical]
|
||||
- name: Try to read PR number
|
||||
id: set-ref
|
||||
run: |
|
||||
pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)
|
||||
@@ -38,4 +38,4 @@ jobs:
|
||||
fi
|
||||
|
||||
echo "pr_num=$pr_num" >> $GITHUB_ENV
|
||||
echo "ref=$ref" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
|
||||
echo "ref=$ref" >> $GITHUB_ENV
|
||||
|
||||
@@ -1,9 +1,3 @@
|
||||
#select
|
||||
| .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
edges
|
||||
| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | provenance | Config |
|
||||
| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | provenance | Config |
|
||||
@@ -22,3 +16,9 @@ nodes
|
||||
| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
|
||||
| .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | semmle.label | echo "::add-path::$PATHINJ" |
|
||||
subpaths
|
||||
#select
|
||||
| .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
|
||||
@@ -1,2 +1 @@
|
||||
query: Security/CWE-077/EnvPathInjectionCritical.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
Security/CWE-077/EnvPathInjectionCritical.ql
|
||||
|
||||
@@ -1,4 +1,3 @@
|
||||
#select
|
||||
edges
|
||||
| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | provenance | Config |
|
||||
| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | provenance | Config |
|
||||
@@ -17,3 +16,4 @@ nodes
|
||||
| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
|
||||
| .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | semmle.label | echo "::add-path::$PATHINJ" |
|
||||
subpaths
|
||||
#select
|
||||
|
||||
@@ -1,2 +1 @@
|
||||
query: Security/CWE-077/EnvPathInjectionMedium.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
Security/CWE-077/EnvPathInjectionMedium.ql
|
||||
|
||||
@@ -1,40 +1,3 @@
|
||||
#select
|
||||
| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:4:3:4:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:4:3:4:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<<EOF'\n cat foo\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<<EOF'\n cat foo\n echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<<EOF'\n cat foo\n echo EOF\n} >> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<<EOF'\n cat foo\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:4:3:4:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:3:3:3:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:3:3:3:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<<EOF'\n echo "$TITLE"\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<<EOF'\n echo "$TITLE"\n echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<<EOF'\n echo "$TITLE"\n echo EOF\n} >> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<<EOF'\n echo "$TITLE"\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:3:3:3:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/test7.yml:16:9:24:35 | Uses Step | .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Uses Step | .github/workflows/test7.yml:4:5:4:16 | workflow_run | workflow_run |
|
||||
| .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:4:3:4:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test11.yml:4:3:4:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:3:3:3:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:3:3:3:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | .github/workflows/test16.yml:4:3:4:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | .github/workflows/test16.yml:4:3:4:14 | workflow_run | workflow_run |
|
||||
edges
|
||||
| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | Config |
|
||||
| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config |
|
||||
@@ -129,3 +92,40 @@ nodes
|
||||
| .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n |
|
||||
| .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n |
|
||||
subpaths
|
||||
#select
|
||||
| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:4:3:4:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:4:3:4:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<<EOF'\n cat foo\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<<EOF'\n cat foo\n echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<<EOF'\n cat foo\n echo EOF\n} >> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<<EOF'\n cat foo\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:4:3:4:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:3:3:3:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:3:3:3:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<<EOF'\n echo "$TITLE"\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<<EOF'\n echo "$TITLE"\n echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<<EOF'\n echo "$TITLE"\n echo EOF\n} >> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<<EOF'\n echo "$TITLE"\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:3:3:3:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/test7.yml:16:9:24:35 | Uses Step | .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Uses Step | .github/workflows/test7.yml:4:5:4:16 | workflow_run | workflow_run |
|
||||
| .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:4:3:4:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test11.yml:4:3:4:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:3:3:3:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:3:3:3:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | .github/workflows/test16.yml:4:3:4:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | .github/workflows/test16.yml:4:3:4:14 | workflow_run | workflow_run |
|
||||
|
||||
@@ -1,2 +1 @@
|
||||
query: Security/CWE-077/EnvVarInjectionCritical.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
Security/CWE-077/EnvVarInjectionCritical.ql
|
||||
|
||||
@@ -1,4 +1,3 @@
|
||||
#select
|
||||
edges
|
||||
| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | Config |
|
||||
| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config |
|
||||
@@ -93,3 +92,4 @@ nodes
|
||||
| .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n |
|
||||
| .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n |
|
||||
subpaths
|
||||
#select
|
||||
|
||||
@@ -1,2 +1 @@
|
||||
query: Security/CWE-077/EnvVarInjectionMedium.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
Security/CWE-077/EnvVarInjectionMedium.ql
|
||||
|
||||
@@ -6,4 +6,4 @@ jobs:
|
||||
steps:
|
||||
- uses: ruby/setup-ruby@v2
|
||||
with:
|
||||
ruby-version: ${{ github.event.comment.body }} # $ Alert[actions/command-injection/critical]
|
||||
ruby-version: ${{ github.event.comment.body }}
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
#select
|
||||
| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential command injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment |
|
||||
edges
|
||||
nodes
|
||||
| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body |
|
||||
subpaths
|
||||
#select
|
||||
| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential command injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment |
|
||||
|
||||
@@ -1,2 +1 @@
|
||||
query: experimental/Security/CWE-078/CommandInjectionCritical.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
experimental/Security/CWE-078/CommandInjectionCritical.ql
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
#select
|
||||
edges
|
||||
nodes
|
||||
| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body |
|
||||
subpaths
|
||||
#select
|
||||
|
||||
@@ -1,2 +1 @@
|
||||
query: experimental/Security/CWE-078/CommandInjectionMedium.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
experimental/Security/CWE-078/CommandInjectionMedium.ql
|
||||
|
||||
@@ -7,7 +7,7 @@ jobs:
|
||||
test1:
|
||||
runs-on: ubuntu-latest
|
||||
env:
|
||||
TITLE: ${{github.event.pull_request.title}} # $ Source[actions/argument-injection/critical]
|
||||
TITLE: ${{github.event.pull_request.title}}
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
@@ -18,50 +18,50 @@ jobs:
|
||||
echo "s/FOO/$TITLE/g"
|
||||
- run: |
|
||||
# VULNERABLE
|
||||
sed "s/FOO/$TITLE/g" # $ Alert[actions/argument-injection/critical]
|
||||
sed "s/FOO/$TITLE/g"
|
||||
- run: |
|
||||
# VULNERABLE
|
||||
echo "foo" | sed "s/FOO/$TITLE/g" > bar # $ Alert[actions/argument-injection/critical]
|
||||
echo "foo" | sed "s/FOO/$TITLE/g" > bar
|
||||
- run: |
|
||||
# VULNERABLE
|
||||
echo $(echo "foo" | sed "s/FOO/$TITLE/g" > bar) # $ Alert[actions/argument-injection/critical]
|
||||
echo $(echo "foo" | sed "s/FOO/$TITLE/g" > bar)
|
||||
- run: |
|
||||
# VULNERABLE
|
||||
awk "BEGIN {$TITLE}" # $ Alert[actions/argument-injection/critical]
|
||||
awk "BEGIN {$TITLE}"
|
||||
- run: |
|
||||
# VULNERABLE
|
||||
sed -i "s/git_branch = .*/git_branch = \"$GITHUB_HEAD_REF\"/" config.json # $ Alert[actions/argument-injection/critical]
|
||||
sed -i "s/git_branch = .*/git_branch = \"$GITHUB_HEAD_REF\"/" config.json
|
||||
- run: |
|
||||
# VULNERABLE
|
||||
sed -i "s|git_branch = .*|git_branch = \"$GITHUB_HEAD_REF\"|" config.json # $ Alert[actions/argument-injection/critical]
|
||||
sed -i "s|git_branch = .*|git_branch = \"$GITHUB_HEAD_REF\"|" config.json
|
||||
- run: |
|
||||
# VULNERABLE
|
||||
sed -e 's#<branch_to_sync>#${TITLE}#' \
|
||||
-e 's#<sot_repo>#${{ env.sot_repo }}#' \
|
||||
-e 's#<destination_repo>#TITLE#' \
|
||||
.github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky # $ Alert[actions/argument-injection/critical]
|
||||
.github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky
|
||||
- run: |
|
||||
# VULNERABLE
|
||||
sed -e 's#<branch_to_sync>#TITLE#' \
|
||||
-e 's#<sot_repo>#${{ env.sot_repo }}#' \
|
||||
-e 's#<destination_repo>#${TITLE}#' \
|
||||
.github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky # $ Alert[actions/argument-injection/critical]
|
||||
.github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky
|
||||
- run: |
|
||||
# VULNERABLE
|
||||
BODY=$(git log --format=%s)
|
||||
sed "s/FOO/$BODY/g" > /tmp/foo # $ Alert[actions/argument-injection/critical]
|
||||
sed "s/FOO/$BODY/g" > /tmp/foo
|
||||
- run: |
|
||||
# VULNERABLE
|
||||
BODY=$(git diff --name-only HEAD)
|
||||
sed "s/FOO/$BODY/g" > /tmp/foo # $ Alert[actions/argument-injection/critical]
|
||||
sed "s/FOO/$BODY/g" > /tmp/foo
|
||||
- run: |
|
||||
# VULNERABLE
|
||||
BODY=$(git diff --name-only HEAD )
|
||||
sed "s/FOO/$BODY/g" > /tmp/foo # $ Alert[actions/argument-injection/critical]
|
||||
sed "s/FOO/$BODY/g" > /tmp/foo
|
||||
- run: |
|
||||
# VULNERABLE
|
||||
BODY=$(git diff --name-only HEAD^ | xargs)
|
||||
sed "s/FOO/$BODY/g" > /tmp/foo # $ Alert[actions/argument-injection/critical]
|
||||
sed "s/FOO/$BODY/g" > /tmp/foo
|
||||
- run: |
|
||||
# NOT VULNERABLE
|
||||
echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT
|
||||
|
||||
@@ -1,16 +1,3 @@
|
||||
#select
|
||||
| .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | awk | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
edges
|
||||
| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | provenance | Config |
|
||||
| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | provenance | Config |
|
||||
@@ -33,3 +20,16 @@ nodes
|
||||
| .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n |
|
||||
| .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n |
|
||||
subpaths
|
||||
#select
|
||||
| .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | awk | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n -e 's#<destination_repo>#${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
|
||||
@@ -1,2 +1 @@
|
||||
query: experimental/Security/CWE-088/ArgumentInjectionCritical.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
experimental/Security/CWE-088/ArgumentInjectionCritical.ql
|
||||
|
||||
@@ -1,4 +1,3 @@
|
||||
#select
|
||||
edges
|
||||
| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | provenance | Config |
|
||||
| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | provenance | Config |
|
||||
@@ -21,3 +20,4 @@ nodes
|
||||
| .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n |
|
||||
| .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n |
|
||||
subpaths
|
||||
#select
|
||||
|
||||
@@ -1,2 +1 @@
|
||||
query: experimental/Security/CWE-088/ArgumentInjectionMedium.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
experimental/Security/CWE-088/ArgumentInjectionMedium.ql
|
||||
|
||||
@@ -4,4 +4,4 @@ runs:
|
||||
using: 'composite'
|
||||
steps:
|
||||
- shell: bash
|
||||
run: echo '${{ github.event.pull_request.body }}' # $ Alert[actions/code-injection/critical]
|
||||
run: echo '${{ github.event.pull_request.body }}'
|
||||
|
||||
@@ -6,4 +6,4 @@ runs:
|
||||
- shell: bash
|
||||
env:
|
||||
FOO: ${{ secrets.FOO}}
|
||||
run: echo '${{ github.event.pull_request.body }}' # $ Alert[actions/code-injection/medium]
|
||||
run: echo '${{ github.event.pull_request.body }}'
|
||||
|
||||
@@ -4,4 +4,4 @@ runs:
|
||||
using: 'composite'
|
||||
steps:
|
||||
- shell: bash
|
||||
run: echo '${{ github.event.pull_request.body }}' # $ Alert[actions/code-injection/medium]
|
||||
run: echo '${{ github.event.pull_request.body }}'
|
||||
|
||||
@@ -16,7 +16,7 @@ runs:
|
||||
using: 'composite'
|
||||
steps:
|
||||
- shell: bash
|
||||
run: echo '${{ github.event.issue.body }}' # $ Alert[actions/code-injection/critical]
|
||||
run: echo '${{ github.event.issue.body }}'
|
||||
- name: Step
|
||||
id: step
|
||||
env:
|
||||
@@ -25,10 +25,10 @@ runs:
|
||||
run: echo "result=$(echo $FOO)" >> $GITHUB_OUTPUT
|
||||
- id: step2
|
||||
env:
|
||||
FOO2: ${{ github.event.issue.body }} # $ Source[actions/code-injection/critical]
|
||||
FOO2: ${{ github.event.issue.body }}
|
||||
shell: bash
|
||||
run: echo "result2=$(echo $FOO2)" >> $GITHUB_OUTPUT
|
||||
- name: Sink
|
||||
id: sink
|
||||
shell: bash
|
||||
run: echo "${{ inputs.taint }}" # $ Alert[actions/code-injection/critical]
|
||||
run: echo "${{ inputs.taint }}"
|
||||
|
||||
@@ -213,7 +213,7 @@ runs:
|
||||
run: |
|
||||
git config --global user.name "${{ inputs.github_username }}"
|
||||
git config --global user.email "${{ inputs.github_email }}"
|
||||
git pull origin ${{ github.head_ref || github.ref }} # $ Alert[actions/code-injection/critical]
|
||||
git pull origin ${{ github.head_ref || github.ref }}
|
||||
git add .
|
||||
git reset HEAD -- .github/workflows/ # workflow changes are not permitted with default token
|
||||
if ! git diff --staged --quiet; then
|
||||
|
||||
@@ -74,7 +74,7 @@ runs:
|
||||
# pip install -q git+https://github.com/ultralytics/actions@main codespell tomli
|
||||
run: |
|
||||
packages="ultralytics-actions"
|
||||
if [ "${{ inputs.spelling }}" = "true" ]; then # $ Alert[actions/code-injection/medium]
|
||||
if [ "${{ inputs.spelling }}" = "true" ]; then
|
||||
packages="$packages codespell tomli"
|
||||
fi
|
||||
|
||||
@@ -211,10 +211,10 @@ runs:
|
||||
- name: Commit and Push Changes
|
||||
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && github.event.action != 'closed'
|
||||
run: |
|
||||
git config --global user.name "${{ inputs.github_username }}" # $ Alert[actions/code-injection/medium]
|
||||
git config --global user.email "${{ inputs.github_email }}" # $ Alert[actions/code-injection/medium]
|
||||
git config --global user.name "${{ inputs.github_username }}"
|
||||
git config --global user.email "${{ inputs.github_email }}"
|
||||
# this action is not called in the test
|
||||
git pull origin ${{ github.head_ref || github.ref }} # $ Alert[actions/code-injection/medium]
|
||||
git pull origin ${{ github.head_ref || github.ref }}
|
||||
git add .
|
||||
git reset HEAD -- .github/workflows/ # workflow changes are not permitted with default token
|
||||
if ! git diff --staged --quiet; then
|
||||
|
||||
@@ -19,7 +19,7 @@ runs:
|
||||
using: composite
|
||||
steps:
|
||||
- shell: bash
|
||||
run: echo "${{ inputs.title }}" # $ Alert[actions/code-injection/critical]
|
||||
run: echo "${{ inputs.title }}"
|
||||
- uses: frabert/replace-string-action@v2.5
|
||||
id: out
|
||||
with:
|
||||
|
||||
@@ -93,7 +93,7 @@ runs:
|
||||
shell: bash
|
||||
- shell: bash
|
||||
run: |
|
||||
echo "${{ inputs.body }}" # $ Alert[actions/code-injection/critical]
|
||||
echo "${{ inputs.body }}"
|
||||
|
||||
# Checkout Repository ----------------------------------------------------------------------------------------------
|
||||
- name: Checkout Repository
|
||||
@@ -220,7 +220,7 @@ runs:
|
||||
run: |
|
||||
git config --global user.name "${{ inputs.github_username }}"
|
||||
git config --global user.email "${{ inputs.github_email }}"
|
||||
git pull origin ${{ github.head_ref || github.ref }} # $ Alert[actions/code-injection/critical]
|
||||
git pull origin ${{ github.head_ref || github.ref }}
|
||||
git add .
|
||||
git reset HEAD -- .github/workflows/ # workflow changes are not permitted with default token
|
||||
if ! git diff --staged --quiet; then
|
||||
|
||||
@@ -14,7 +14,7 @@ jobs:
|
||||
- uses: actions/checkout@v2
|
||||
- name: Remove conflicting chars
|
||||
env:
|
||||
ISSUE_TITLE: ${{github.event.issue.title}} # $ Source[actions/code-injection/critical]
|
||||
ISSUE_TITLE: ${{github.event.issue.title}}
|
||||
uses: frabert/replace-string-action@1.2
|
||||
id: remove_quotations
|
||||
with:
|
||||
@@ -24,6 +24,6 @@ jobs:
|
||||
- name: Check info
|
||||
id: check-info
|
||||
run: |
|
||||
echo "foo $(pwsh bar ${{steps.remove_quotations.outputs.replaced}}) " >> $GITHUB_ENV # $ Alert[actions/code-injection/critical]
|
||||
echo "foo $(pwsh bar ${{steps.remove_quotations.outputs.replaced}}) " >> $GITHUB_ENV
|
||||
|
||||
|
||||
|
||||
@@ -17,12 +17,12 @@ jobs:
|
||||
workflow: ${{ github.event.workflow_run.workflow_id }}
|
||||
name: pr
|
||||
|
||||
- name: save PR id # $ Source[actions/code-injection/critical]
|
||||
- name: save PR id
|
||||
id: pr
|
||||
run: echo "::set-output name=id::$(<pr-id.txt)"
|
||||
|
||||
- name: upload surge service
|
||||
id: deploy
|
||||
run: |
|
||||
export DEPLOY_DOMAIN=https://ant-design-pro-preview-pr-${{ steps.pr.outputs.id }}.surge.sh # $ Alert[actions/code-injection/critical]
|
||||
export DEPLOY_DOMAIN=https://ant-design-pro-preview-pr-${{ steps.pr.outputs.id }}.surge.sh
|
||||
npx surge --project ./ --domain $DEPLOY_DOMAIN --token ${{ secrets.SURGE_TOKEN }}
|
||||
|
||||
@@ -16,8 +16,8 @@ jobs:
|
||||
with:
|
||||
name: README
|
||||
|
||||
- name: upload surge service # $ Source[actions/code-injection/critical]
|
||||
- name: upload surge service
|
||||
id: deploy
|
||||
run: |
|
||||
echo ${{ steps.pr.outputs.id }} # $ Alert[actions/code-injection/critical]
|
||||
echo ${{ steps.pr.outputs.id }}
|
||||
|
||||
|
||||
@@ -38,7 +38,7 @@ jobs:
|
||||
});
|
||||
var fs = require('fs');
|
||||
fs.writeFileSync('${{github.workspace}}/input.zip', Buffer.from(download.data));
|
||||
- name: Set needed env vars in outputs # $ Source[actions/code-injection/critical]
|
||||
- name: Set needed env vars in outputs
|
||||
id: prepare
|
||||
run: |
|
||||
unzip input.zip
|
||||
@@ -50,4 +50,4 @@ jobs:
|
||||
echo "PR: ${tmp}"
|
||||
echo "pr=${tmp}" >> $GITHUB_OUTPUT
|
||||
|
||||
- run: echo ${{ steps.prepare.outputs.pr }} # $ Alert[actions/code-injection/critical]
|
||||
- run: echo ${{ steps.prepare.outputs.pr }}
|
||||
|
||||
@@ -14,9 +14,9 @@ jobs:
|
||||
name: artifact
|
||||
|
||||
# Save PR id to output
|
||||
- name: Save artifact data # $ Source[actions/code-injection/critical]
|
||||
- name: Save artifact data
|
||||
id: artifact
|
||||
run: echo "::set-output name=id::$(<artifact.txt)"
|
||||
|
||||
- name: Use artifact
|
||||
run: echo ${{ steps.artifact.outputs.id }} # $ Alert[actions/code-injection/critical]
|
||||
run: echo ${{ steps.artifact.outputs.id }}
|
||||
|
||||
@@ -13,11 +13,11 @@ jobs:
|
||||
name: artifact
|
||||
|
||||
# Save PR id to output
|
||||
- name: Save artifact data # $ Source[actions/code-injection/critical]
|
||||
- name: Save artifact data
|
||||
id: artifact
|
||||
uses: juliangruber/read-file-action@v1
|
||||
with:
|
||||
path: ./artifact.txt
|
||||
- name: Use artifact
|
||||
run: echo ${{ steps.artifact.outputs.content }} # $ Alert[actions/code-injection/critical]
|
||||
run: echo ${{ steps.artifact.outputs.content }}
|
||||
|
||||
|
||||
@@ -12,13 +12,13 @@ jobs:
|
||||
run_id: ${{github.event.workflow_run.id}}
|
||||
name: artifact
|
||||
|
||||
- id: artifact # $ Source[actions/code-injection/critical]
|
||||
- id: artifact
|
||||
run: |
|
||||
echo "::set-output name=pr_number::$(<artifact.txt)"
|
||||
mkdir firebase-android
|
||||
unzip firebase-android.zip -d firebase-android
|
||||
- name: Use artifact
|
||||
run: echo ${{ steps.artifact.outputs.pr_number }} # $ Alert[actions/code-injection/critical]
|
||||
run: echo ${{ steps.artifact.outputs.pr_number }}
|
||||
|
||||
- id: artifact2
|
||||
run: |
|
||||
@@ -26,5 +26,5 @@ jobs:
|
||||
mkdir firebase-android
|
||||
unzip firebase-android.zip -d firebase-android
|
||||
- name: Use artifact
|
||||
run: echo ${{ steps.artifact2.outputs.pr_number }} # $ Alert[actions/code-injection/critical]
|
||||
run: echo ${{ steps.artifact2.outputs.pr_number }}
|
||||
|
||||
|
||||
@@ -12,7 +12,7 @@ jobs:
|
||||
run_id: ${{github.event.workflow_run.id}}
|
||||
name: artifact
|
||||
|
||||
- id: artifact # $ Source[actions/code-injection/critical]
|
||||
- id: artifact
|
||||
run: |
|
||||
set -eou pipefail
|
||||
pr_number=$(cat -e artifact.txt)
|
||||
@@ -27,5 +27,5 @@ jobs:
|
||||
mkdir firebase-android
|
||||
unzip firebase-android.zip -d firebase-android
|
||||
- name: Use artifact
|
||||
run: echo ${{ steps.artifact.outputs.pr_number }} # $ Alert[actions/code-injection/critical]
|
||||
run: echo ${{ steps.artifact.outputs.pr_number }}
|
||||
|
||||
|
||||
@@ -14,9 +14,9 @@ jobs:
|
||||
name: artifact
|
||||
|
||||
# Save PR id to output
|
||||
- name: Save artifact data # $ Source[actions/code-injection/critical]
|
||||
- name: Save artifact data
|
||||
id: artifact
|
||||
run: echo "::set-output name=id::$(<artifact.txt)"
|
||||
|
||||
- name: Use artifact
|
||||
run: echo ${{ steps.artifact.outputs.id }} # $ Alert[actions/code-injection/critical]
|
||||
run: echo ${{ steps.artifact.outputs.id }}
|
||||
|
||||
@@ -15,9 +15,9 @@ jobs:
|
||||
- name: Get changed files 1
|
||||
id: changed-files1
|
||||
uses: tj-actions/changed-files@v40
|
||||
- name: List all changed files 1 # $ Source[actions/code-injection/medium]
|
||||
- name: List all changed files 1
|
||||
run: |
|
||||
for file in ${{ steps.changed-files1.outputs.all_changed_files }}; do # $ Alert[actions/code-injection/medium]
|
||||
for file in ${{ steps.changed-files1.outputs.all_changed_files }}; do
|
||||
echo "$file was changed"
|
||||
done
|
||||
|
||||
@@ -35,9 +35,9 @@ jobs:
|
||||
uses: tj-actions/changed-files@v41
|
||||
with:
|
||||
safe_output: false
|
||||
- name: List all changed files 3 # $ Source[actions/code-injection/medium]
|
||||
- name: List all changed files 3
|
||||
run: |
|
||||
for file in ${{ steps.changed-files3.outputs.all_changed_files }}; do # $ Alert[actions/code-injection/medium]
|
||||
for file in ${{ steps.changed-files3.outputs.all_changed_files }}; do
|
||||
echo "$file was changed"
|
||||
done
|
||||
|
||||
@@ -53,8 +53,8 @@ jobs:
|
||||
- name: Get changed files 5
|
||||
id: changed-files5
|
||||
uses: tj-actions/changed-files@95690f9ece77c1740f4a55b7f1de9023ed6b1f87 # v39.2.3
|
||||
- name: List all changed files 5 # $ Source[actions/code-injection/medium]
|
||||
- name: List all changed files 5
|
||||
run: |
|
||||
for file in ${{ steps.changed-files5.outputs.all_changed_files }}; do # $ Alert[actions/code-injection/medium]
|
||||
for file in ${{ steps.changed-files5.outputs.all_changed_files }}; do
|
||||
echo "$file was changed"
|
||||
done
|
||||
|
||||
@@ -6,25 +6,25 @@ jobs:
|
||||
steps:
|
||||
- run: |
|
||||
Foo
|
||||
echo '${{ github.event.comment.body }}' # $ Alert[actions/code-injection/critical]
|
||||
echo '${{ github.event.comment.body }}'
|
||||
Bar
|
||||
|
||||
echo-chamber2:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- run: echo '${{ github.event.comment.body }}' # $ Alert[actions/code-injection/critical]
|
||||
- run: echo '${{ github.event.issue.body }}' # $ Alert[actions/code-injection/critical]
|
||||
- run: echo '${{ github.event.issue.title }}' # $ Alert[actions/code-injection/critical]
|
||||
- run: echo '${{ github.event.comment.body }}'
|
||||
- run: echo '${{ github.event.issue.body }}'
|
||||
- run: echo '${{ github.event.issue.title }}'
|
||||
|
||||
echo-chamber3:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/github-script@v3
|
||||
with:
|
||||
script: console.log('${{ github.event.comment.body }}') # $ Alert[actions/code-injection/critical]
|
||||
script: console.log('${{ github.event.comment.body }}')
|
||||
- uses: actions/github-script@v3
|
||||
with:
|
||||
script: console.log('${{ github.event.issue.body }}') # $ Alert[actions/code-injection/critical]
|
||||
script: console.log('${{ github.event.issue.body }}')
|
||||
- uses: actions/github-script@v3
|
||||
with:
|
||||
script: console.log('${{ github.event.issue.title }}') # $ Alert[actions/code-injection/critical]
|
||||
script: console.log('${{ github.event.issue.title }}')
|
||||
|
||||
@@ -7,6 +7,6 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- run: |
|
||||
LINE 1 echo '${{ github.event.comment.body }}' # $ Alert[actions/code-injection/critical]
|
||||
LINE 2 echo '${{github.event.issue.body}}' # $ Alert[actions/code-injection/critical]
|
||||
LINE 3 echo '${{ github.event.comment.body }}' # $ Alert[actions/code-injection/critical]
|
||||
LINE 1 echo '${{ github.event.comment.body }}'
|
||||
LINE 2 echo '${{github.event.issue.body}}'
|
||||
LINE 3 echo '${{ github.event.comment.body }}'
|
||||
|
||||
@@ -9,7 +9,7 @@ jobs:
|
||||
- uses: .github/actions/action5
|
||||
id: foo
|
||||
with:
|
||||
taint: ${{ github.event.comment.body }} # $ Source[actions/code-injection/critical]
|
||||
- run: echo "${{ steps.foo.outputs.result }}" # $ Alert[actions/code-injection/critical]
|
||||
- run: echo "${{ steps.foo.outputs.result2 }}" # $ Alert[actions/code-injection/critical]
|
||||
taint: ${{ github.event.comment.body }}
|
||||
- run: echo "${{ steps.foo.outputs.result }}"
|
||||
- run: echo "${{ steps.foo.outputs.result2 }}"
|
||||
|
||||
|
||||
@@ -11,8 +11,8 @@ jobs:
|
||||
id: clone
|
||||
uses: TestOrg/TestRepo/.github/actions/clone-repo@main
|
||||
with:
|
||||
title: ${{ github.event.pull_request.title }} # $ Source[actions/code-injection/critical]
|
||||
title: ${{ github.event.pull_request.title }}
|
||||
forked-pr: true
|
||||
fetch-depth: 2
|
||||
- run: echo "${{ steps.clone.outputs.result }}" # $ Alert[actions/code-injection/critical]
|
||||
- run: echo "${{ steps.clone.outputs.result }}"
|
||||
|
||||
|
||||
@@ -29,7 +29,7 @@ jobs:
|
||||
id: remove_quotations
|
||||
with:
|
||||
pattern: "\""
|
||||
string: ${{github.event.commits[0].message}} # $ Source[actions/code-injection/medium]
|
||||
string: ${{github.event.commits[0].message}}
|
||||
replace-with: "-"
|
||||
flags: g
|
||||
|
||||
@@ -39,7 +39,7 @@ jobs:
|
||||
ISSUE_BODY_PARSED: ${{steps.remove_quotations.outputs.replaced}}
|
||||
id: check-info
|
||||
run: |
|
||||
echo "destination_branch=$(pwsh .\\.github\\scripts\\cherry_pick_check.ps1 "${{ env.ISSUE_BODY_PARSED }}" )" >> $GITHUB_ENV # $ Alert[actions/code-injection/medium]
|
||||
echo "destination_branch=$(pwsh .\\.github\\scripts\\cherry_pick_check.ps1 "${{ env.ISSUE_BODY_PARSED }}" )" >> $GITHUB_ENV
|
||||
|
||||
#If a target branch was found will run the action
|
||||
- if: env.destination_branch != 'invalid'
|
||||
@@ -50,7 +50,7 @@ jobs:
|
||||
git checkout -b ${{env.auto_branch}} origin/${{env.destination_branch}}
|
||||
git cherry-pick -x ${{github.event.after}} --strategy-option theirs
|
||||
git push -u origin ${{env.auto_branch}}
|
||||
hub pull-request -b "${{env.destination_branch}}" -h "${{env.auto_branch}}" -m "${{env.pr_message}}" # $ Alert[actions/code-injection/medium]
|
||||
hub pull-request -b "${{env.destination_branch}}" -h "${{env.auto_branch}}" -m "${{env.pr_message}}"
|
||||
env:
|
||||
#Token used for the pull request. Corresponds to the DynamoBot account
|
||||
GITHUB_TOKEN: ${{secrets.DYNAMOBOTTOKEN}}
|
||||
|
||||
@@ -4,5 +4,5 @@ jobs:
|
||||
echo-chamber:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- run: echo '${{ github.event.discussion.title }}' # $ Alert[actions/code-injection/critical]
|
||||
- run: echo '${{ github.event.discussion.body }}' # $ Alert[actions/code-injection/critical]
|
||||
- run: echo '${{ github.event.discussion.title }}'
|
||||
- run: echo '${{ github.event.discussion.body }}'
|
||||
@@ -4,6 +4,6 @@ jobs:
|
||||
echo-chamber:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- run: echo '${{ github.event.discussion.title }}' # $ Alert[actions/code-injection/critical]
|
||||
- run: echo '${{ github.event.discussion.body }}' # $ Alert[actions/code-injection/critical]
|
||||
- run: echo '${{ github.event.comment.body }}' # $ Alert[actions/code-injection/critical]
|
||||
- run: echo '${{ github.event.discussion.title }}'
|
||||
- run: echo '${{ github.event.discussion.body }}'
|
||||
- run: echo '${{ github.event.comment.body }}'
|
||||
@@ -81,7 +81,7 @@ jobs:
|
||||
|
||||
git push \
|
||||
"https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \
|
||||
'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}' # $ Alert[actions/code-injection/critical] Source[actions/code-injection/critical]
|
||||
'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'
|
||||
env:
|
||||
BOT_PA_TOKEN: ${{ secrets.githubBotPAT }}
|
||||
|
||||
@@ -91,4 +91,4 @@ jobs:
|
||||
with:
|
||||
github-token: ${{ secrets.githubBotPAT }}
|
||||
script: |
|
||||
const fileList = `${{ steps.git-commit.outputs.file-list }}` # $ Alert[actions/code-injection/critical]
|
||||
const fileList = `${{ steps.git-commit.outputs.file-list }}`
|
||||
|
||||
@@ -33,7 +33,7 @@ jobs:
|
||||
next_version: next
|
||||
link: '[#${{ github.event.number }}](https://github.com/fabricjs/fabric.js/pull/${{ github.event.number }})'
|
||||
steps:
|
||||
- run: echo "${{ inputs.taint }}" # $ Alert[actions/code-injection/critical]
|
||||
- run: echo "${{ inputs.taint }}"
|
||||
- uses: actions/checkout@v3
|
||||
with:
|
||||
ref: ${{ github.event.pull_request.head.ref }}
|
||||
@@ -41,8 +41,8 @@ jobs:
|
||||
id: update
|
||||
uses: actions/github-script@v6
|
||||
env:
|
||||
log: '- ${{ github.event.pull_request.title }} ${{ env.link }}\n' # $ Source[actions/code-injection/critical]
|
||||
prev_log: '- ${{ github.event.changes.title.from }} ${{ env.link }}\n' # $ Source[actions/code-injection/critical]
|
||||
log: '- ${{ github.event.pull_request.title }} ${{ env.link }}\n'
|
||||
prev_log: '- ${{ github.event.changes.title.from }} ${{ env.link }}\n'
|
||||
with:
|
||||
result-encoding: string
|
||||
script: |
|
||||
@@ -50,7 +50,7 @@ jobs:
|
||||
const file = './${{ env.file }}';
|
||||
let content = fs.readFileSync(file).toString();
|
||||
const title = '[${{ env.next_version }}]';
|
||||
const log = '${{ env.log }}'; # $ Alert[actions/code-injection/critical]
|
||||
const log = '${{ env.log }}';
|
||||
let exists = ${{ needs.changelog.result == 'success' }};
|
||||
|
||||
if (!content.includes(title)) {
|
||||
@@ -63,7 +63,7 @@ jobs:
|
||||
|
||||
const insertAt = content.indexOf('\n', content.indexOf(title) + title.length + 1) + 1;
|
||||
if (exists && ${{ github.event.action == 'edited' }}) {
|
||||
const prevLog = '${{ env.prev_log }}'; # $ Alert[actions/code-injection/critical]
|
||||
const prevLog = '${{ env.prev_log }}';
|
||||
const index = content.indexOf(prevLog, insertAt);
|
||||
if (index > -1) {
|
||||
content = content.slice(0, index) + content.slice(index + prevLog.length);
|
||||
|
||||
@@ -4,8 +4,8 @@ jobs:
|
||||
echo-chamber:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- run: echo '${{ github.event.pages[1].title }}' # $ Alert[actions/code-injection/medium]
|
||||
- run: echo '${{ github.event.pages[11].title }}' # $ Alert[actions/code-injection/medium]
|
||||
- run: echo '${{ github.event.pages[0].page_name }}' # $ Alert[actions/code-injection/medium]
|
||||
- run: echo '${{ github.event.pages[2222].page_name }}' # $ Alert[actions/code-injection/medium]
|
||||
- run: echo '${{ github.event.pages[1].title }}'
|
||||
- run: echo '${{ github.event.pages[11].title }}'
|
||||
- run: echo '${{ github.event.pages[0].page_name }}'
|
||||
- run: echo '${{ github.event.pages[2222].page_name }}'
|
||||
- run: echo '${{ toJSON(github.event.pages.*.title) }}' # safe
|
||||
@@ -15,7 +15,7 @@ jobs:
|
||||
- name: Extract and Clean Initial URL
|
||||
id: extract-url
|
||||
env:
|
||||
BODY: ${{ github.event.comment.body }} # $ Source[actions/code-injection/critical]
|
||||
BODY: ${{ github.event.comment.body }}
|
||||
run: |
|
||||
echo "::set-output name=initial_url::$BODY"
|
||||
|
||||
@@ -34,4 +34,4 @@ jobs:
|
||||
|
||||
- name: Update Comment with New URL
|
||||
run: |
|
||||
NEW_COMMENT_BODY="Use this link to include this asset in your changelog: ${{ steps.trim-url.outputs.trimmed_url }}" # $ Alert[actions/code-injection/critical]
|
||||
NEW_COMMENT_BODY="Use this link to include this asset in your changelog: ${{ steps.trim-url.outputs.trimmed_url }}"
|
||||
|
||||
@@ -23,7 +23,7 @@ jobs:
|
||||
id: source
|
||||
uses: tj-actions/changed-files@v40
|
||||
|
||||
- name: Remove foo from changed files # $ Source[actions/code-injection/medium]
|
||||
- name: Remove foo from changed files
|
||||
id: step
|
||||
uses: mad9000/actions-find-and-replace-string@3
|
||||
with:
|
||||
@@ -40,4 +40,4 @@ jobs:
|
||||
|
||||
steps:
|
||||
- id: sink
|
||||
run: echo ${{needs.job1.outputs.job_output}} # $ Alert[actions/code-injection/medium]
|
||||
run: echo ${{needs.job1.outputs.job_output}}
|
||||
|
||||
@@ -23,7 +23,7 @@ jobs:
|
||||
id: source
|
||||
uses: tj-actions/changed-files@v40
|
||||
|
||||
- name: Remove foo from changed files # $ Source[actions/code-injection/medium]
|
||||
- name: Remove foo from changed files
|
||||
id: step
|
||||
uses: mad9000/actions-find-and-replace-string@3
|
||||
with:
|
||||
@@ -40,4 +40,4 @@ jobs:
|
||||
|
||||
steps:
|
||||
- id: sink
|
||||
run: echo ${{needs.job1.outputs.job_output}} # $ Alert[actions/code-injection/medium]
|
||||
run: echo ${{needs.job1.outputs.job_output}}
|
||||
|
||||
@@ -23,7 +23,7 @@ jobs:
|
||||
id: source
|
||||
uses: tj-actions/changed-files@v40
|
||||
|
||||
- name: Remove foo from changed files # $ Source[actions/code-injection/medium]
|
||||
- name: Remove foo from changed files
|
||||
id: step
|
||||
uses: mad9000/actions-find-and-replace-string@3
|
||||
with:
|
||||
@@ -42,4 +42,4 @@ jobs:
|
||||
|
||||
steps:
|
||||
- id: sink
|
||||
run: echo ${{needs.job1.outputs.job_output}} # $ Alert[actions/code-injection/medium]
|
||||
run: echo ${{needs.job1.outputs.job_output}}
|
||||
|
||||
@@ -23,7 +23,7 @@ jobs:
|
||||
id: source
|
||||
uses: tj-actions/changed-files@v40
|
||||
|
||||
- name: Remove foo from changed files # $ Source[actions/code-injection/medium]
|
||||
- name: Remove foo from changed files
|
||||
id: step
|
||||
uses: mad9000/actions-find-and-replace-string@3
|
||||
with:
|
||||
@@ -41,4 +41,4 @@ jobs:
|
||||
|
||||
steps:
|
||||
- id: sink
|
||||
run: echo ${{needs.job1.outputs.job_output}} # $ Alert[actions/code-injection/medium]
|
||||
run: echo ${{needs.job1.outputs.job_output}}
|
||||
|
||||
@@ -42,4 +42,4 @@ jobs:
|
||||
steps:
|
||||
- id: sink
|
||||
# Should not be reported since job1 is not needed
|
||||
run: echo ${{needs.job1.outputs.job_output}} # $ Alert[actions/code-injection/medium]
|
||||
run: echo ${{needs.job1.outputs.job_output}}
|
||||
|
||||
@@ -1,20 +1,20 @@
|
||||
on: issues
|
||||
|
||||
env:
|
||||
global_env: ${{ github.event.issue.title }} # $ Source[actions/code-injection/critical]
|
||||
global_env: ${{ github.event.issue.title }}
|
||||
test: test
|
||||
|
||||
jobs:
|
||||
echo-chamber:
|
||||
env:
|
||||
job_env: ${{ github.event.issue.title }} # $ Source[actions/code-injection/critical]
|
||||
job_env: ${{ github.event.issue.title }}
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- run: echo '${{ github.event.issue.title }}' # $ Alert[actions/code-injection/critical]
|
||||
- run: echo '${{ github.event.issue.body }}' # $ Alert[actions/code-injection/critical]
|
||||
- run: echo '${{ env.global_env }}' # $ Alert[actions/code-injection/critical]
|
||||
- run: echo '${{ github.event.issue.title }}'
|
||||
- run: echo '${{ github.event.issue.body }}'
|
||||
- run: echo '${{ env.global_env }}'
|
||||
- run: echo '${{ env.test }}'
|
||||
- run: echo '${{ env.job_env }}' # $ Alert[actions/code-injection/critical]
|
||||
- run: echo '${{ env.step_env }}' # $ Alert[actions/code-injection/critical]
|
||||
- run: echo '${{ env.job_env }}'
|
||||
- run: echo '${{ env.step_env }}'
|
||||
env:
|
||||
step_env: ${{ github.event.issue.title }} # $ Source[actions/code-injection/critical]
|
||||
step_env: ${{ github.event.issue.title }}
|
||||
|
||||
@@ -10,7 +10,7 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
if: ${{ github.event.comment.body == '/jira ticket' }}
|
||||
steps:
|
||||
- run: echo ${{ github.event.comment.body }} # $ Alert[actions/code-injection/critical]
|
||||
- run: echo ${{ github.event.comment.body }}
|
||||
|
||||
- name: Login
|
||||
uses: atlassian/gajira-login@v3
|
||||
@@ -20,7 +20,7 @@ jobs:
|
||||
JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }}
|
||||
|
||||
- name: SearchParam
|
||||
run: echo 'summary ~ ${{ toJSON(github.event.issue.title)}} AND project=${{ secrets.JIRA_PROJECT }}' # $ Alert[actions/code-injection/critical]
|
||||
run: echo 'summary ~ ${{ toJSON(github.event.issue.title)}} AND project=${{ secrets.JIRA_PROJECT }}'
|
||||
|
||||
- name: Search
|
||||
id: search
|
||||
|
||||
@@ -41,7 +41,7 @@ jobs:
|
||||
run: |
|
||||
echo "Checking issue body for profanities..."
|
||||
PROFANITIES_LIST="bad|disguting|horrible"
|
||||
if echo "${{ github.event.issue.body }}" | grep -qiE "$PROFANITIES_LIST"; then # $ Alert[actions/code-injection/critical]
|
||||
if echo "${{ github.event.issue.body }}" | grep -qiE "$PROFANITIES_LIST"; then
|
||||
echo "Profanity detected in issue body. Please clean up the language."
|
||||
exit 1
|
||||
else
|
||||
@@ -66,7 +66,7 @@ jobs:
|
||||
uses: actions/github-script@v5
|
||||
with:
|
||||
script: |
|
||||
const commentBody = "${{ github.event.comment.body }}"; # $ Alert[actions/code-injection/critical]
|
||||
const commentBody = "${{ github.event.comment.body }}";
|
||||
let response;
|
||||
if (commentBody.includes("hello")) {
|
||||
response = "Hello! How can I help you today?";
|
||||
|
||||
@@ -34,4 +34,4 @@ jobs:
|
||||
pr-message: 'Message that will be displayed on users first pr'
|
||||
- name: Log test executions
|
||||
run: |
|
||||
echo "Lint ran for branch ${{ github.event.workflow_run.head_branch }} in a PR from ${{ github.actor }}. Please check the logs for more information." # $ Alert[actions/code-injection/critical]
|
||||
echo "Lint ran for branch ${{ github.event.workflow_run.head_branch }} in a PR from ${{ github.actor }}. Please check the logs for more information."
|
||||
|
||||
@@ -11,4 +11,4 @@ jobs:
|
||||
test:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- run: echo "${{ github.event.pull_request.body }}" # $ Alert[actions/code-injection/medium]
|
||||
- run: echo "${{ github.event.pull_request.body }}"
|
||||
|
||||
@@ -4,11 +4,11 @@ jobs:
|
||||
echo-chamber:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- run: echo '${{ github.event.pull_request.title }}' # $ Alert[actions/code-injection/critical]
|
||||
- run: echo '${{ github.event.pull_request.body }}' # $ Alert[actions/code-injection/critical]
|
||||
- run: echo '${{ github.event.pull_request.head.label }}' # $ Alert[actions/code-injection/critical]
|
||||
- run: echo '${{ github.event.pull_request.head.repo.default_branch }}' # $ Alert[actions/code-injection/critical]
|
||||
- run: echo '${{ github.event.pull_request.head.repo.description }}' # $ Alert[actions/code-injection/critical]
|
||||
- run: echo '${{ github.event.pull_request.head.repo.homepage }}' # $ Alert[actions/code-injection/critical]
|
||||
- run: echo '${{ github.event.pull_request.head.ref }}' # $ Alert[actions/code-injection/critical]
|
||||
- run: echo '${{ github.event.review.body }}' # $ Alert[actions/code-injection/critical]
|
||||
- run: echo '${{ github.event.pull_request.title }}'
|
||||
- run: echo '${{ github.event.pull_request.body }}'
|
||||
- run: echo '${{ github.event.pull_request.head.label }}'
|
||||
- run: echo '${{ github.event.pull_request.head.repo.default_branch }}'
|
||||
- run: echo '${{ github.event.pull_request.head.repo.description }}'
|
||||
- run: echo '${{ github.event.pull_request.head.repo.homepage }}'
|
||||
- run: echo '${{ github.event.pull_request.head.ref }}'
|
||||
- run: echo '${{ github.event.review.body }}'
|
||||
|
||||
@@ -4,11 +4,11 @@ jobs:
|
||||
echo-chamber:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- run: echo '${{ github.event.pull_request.title }}' # $ Alert[actions/code-injection/critical]
|
||||
- run: echo '${{ github.event.pull_request.body }}' # $ Alert[actions/code-injection/critical]
|
||||
- run: echo '${{ github.event.pull_request.head.label }}' # $ Alert[actions/code-injection/critical]
|
||||
- run: echo '${{ github.event.pull_request.head.repo.default_branch }}' # $ Alert[actions/code-injection/critical]
|
||||
- run: echo '${{ github.event.pull_request.head.repo.description }}' # $ Alert[actions/code-injection/critical]
|
||||
- run: echo '${{ github.event.pull_request.head.repo.homepage }}' # $ Alert[actions/code-injection/critical]
|
||||
- run: echo '${{ github.event.pull_request.head.ref }}' # $ Alert[actions/code-injection/critical]
|
||||
- run: echo '${{ github.event.comment.body }}' # $ Alert[actions/code-injection/critical]
|
||||
- run: echo '${{ github.event.pull_request.title }}'
|
||||
- run: echo '${{ github.event.pull_request.body }}'
|
||||
- run: echo '${{ github.event.pull_request.head.label }}'
|
||||
- run: echo '${{ github.event.pull_request.head.repo.default_branch }}'
|
||||
- run: echo '${{ github.event.pull_request.head.repo.description }}'
|
||||
- run: echo '${{ github.event.pull_request.head.repo.homepage }}'
|
||||
- run: echo '${{ github.event.pull_request.head.ref }}'
|
||||
- run: echo '${{ github.event.comment.body }}'
|
||||
|
||||
@@ -6,12 +6,12 @@ jobs:
|
||||
steps:
|
||||
- run: echo '${{ github.event.issue.title }}' # not defined for this trigger, so we should not report it
|
||||
- run: echo '${{ github.event.issue.body }}' # not defined for this trigger, so we should not report it
|
||||
- run: echo '${{ github.event.pull_request.title }}' # $ Alert[actions/code-injection/critical]
|
||||
- run: echo '${{ github.event.pull_request.body }}' # $ Alert[actions/code-injection/critical]
|
||||
- run: echo '${{ github.event.pull_request.head.label }}' # $ Alert[actions/code-injection/critical]
|
||||
- run: echo '${{ github.event.pull_request.head.repo.default_branch }}' # $ Alert[actions/code-injection/critical]
|
||||
- run: echo '${{ github.event.pull_request.head.repo.description }}' # $ Alert[actions/code-injection/critical]
|
||||
- run: echo '${{ github.event.pull_request.head.repo.homepage }}' # $ Alert[actions/code-injection/critical]
|
||||
- run: echo '${{ github.event.pull_request.head.ref }}' # $ Alert[actions/code-injection/critical]
|
||||
- run: echo '${{ github.head_ref }}' # $ Alert[actions/code-injection/critical]
|
||||
- run: echo '${{ github.event.pull_request.title }}'
|
||||
- run: echo '${{ github.event.pull_request.body }}'
|
||||
- run: echo '${{ github.event.pull_request.head.label }}'
|
||||
- run: echo '${{ github.event.pull_request.head.repo.default_branch }}'
|
||||
- run: echo '${{ github.event.pull_request.head.repo.description }}'
|
||||
- run: echo '${{ github.event.pull_request.head.repo.homepage }}'
|
||||
- run: echo '${{ github.event.pull_request.head.ref }}'
|
||||
- run: echo '${{ github.head_ref }}'
|
||||
|
||||
|
||||
@@ -4,13 +4,13 @@ jobs:
|
||||
echo-chamber:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- run: echo '${{ github.event.commits[11].message }}' # $ Alert[actions/code-injection/medium]
|
||||
- run: echo '${{ github.event.commits[11].author.email }}' # $ Alert[actions/code-injection/medium]
|
||||
- run: echo '${{ github.event.commits[11].author.name }}' # $ Alert[actions/code-injection/medium]
|
||||
- run: echo '${{ github.event.head_commit.message }}' # $ Alert[actions/code-injection/medium]
|
||||
- run: echo '${{ github.event.head_commit.author.email }}' # $ Alert[actions/code-injection/medium]
|
||||
- run: echo '${{ github.event.head_commit.author.name }}' # $ Alert[actions/code-injection/medium]
|
||||
- run: echo '${{ github.event.head_commit.committer.email }}' # $ Alert[actions/code-injection/medium]
|
||||
- run: echo '${{ github.event.head_commit.committer.name }}' # $ Alert[actions/code-injection/medium]
|
||||
- run: echo '${{ github.event.commits[11].committer.email }}' # $ Alert[actions/code-injection/medium]
|
||||
- run: echo '${{ github.event.commits[11].committer.name }}' # $ Alert[actions/code-injection/medium]
|
||||
- run: echo '${{ github.event.commits[11].message }}'
|
||||
- run: echo '${{ github.event.commits[11].author.email }}'
|
||||
- run: echo '${{ github.event.commits[11].author.name }}'
|
||||
- run: echo '${{ github.event.head_commit.message }}'
|
||||
- run: echo '${{ github.event.head_commit.author.email }}'
|
||||
- run: echo '${{ github.event.head_commit.author.name }}'
|
||||
- run: echo '${{ github.event.head_commit.committer.email }}'
|
||||
- run: echo '${{ github.event.head_commit.committer.name }}'
|
||||
- run: echo '${{ github.event.commits[11].committer.email }}'
|
||||
- run: echo '${{ github.event.commits[11].committer.name }}'
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user