Python: model exception edges for raise-prone expressions inside try/with

The new CFG previously only emitted exception edges for explicit `raise`
and `assert` statements. As a result, code that became reachable only
via the exception path of an arbitrary expression (e.g., the body of an
`except` handler following a try-body whose `call()` could raise) was
classified as dead, breaking analyses like StackTraceExposure,
FileNotAlwaysClosed, ExceptionInfo, UseOfExit, and CatchingBaseException.

This commit adds a `mayThrow` predicate over expressions that are known
sources of implicit exceptions in Python (calls, attribute access,
subscripts, arithmetic/comparison operators, imports, await/yield/yield
from) plus `from m import *` at the statement level, and routes them
through the shared CFG's `beginAbruptCompletion(_, _, ExceptionSuccessor,
always=false)` hook.

The set of exception sources is restricted to nodes that are
syntactically inside a `try`/`with` statement in the same scope.
This mirrors Java's `ControlFlowGraph::mayThrow`, which only emits
exception edges where local handling can observe them — outside such
contexts, the edges add CFG complexity (weakening BarrierGuard
precision and breaking SSA continuity around augmented assignments and
subscript stores) without analysis benefit, since exceptions just
propagate to the function exit anyway.

Net effect on the test suite: ~100 alerts restored across the exception-
related query tests (StackTraceExposure +29, ExceptionInfo +17,
FileNotAlwaysClosed +52, UseOfExit +1, CatchingBaseException restored)
with no precision regressions. Affected `.expected` files and the
regression-guard `dead_under_no_raise.py` are updated accordingly.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

.github/workflows/go-version-update.yml

@@ -1,208 +0,0 @@
-name: Update Go version
-
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: "0 3 * * 1"  # Run weekly on Mondays at 3 AM UTC (1 = Monday)
-
-permissions:
-  contents: write
-  pull-requests: write
-
-jobs:
-  update-go-version:
-    name: Check and update Go version
-    if: github.repository == 'github/codeql'
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v5
-        with:
-          fetch-depth: 0
-
-      - name: Set up Git
-        run: |
-          git config user.name "github-actions[bot]"
-          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
-
-      - name: Fetch latest Go version
-        id: fetch-version
-        run: |
-          LATEST_GO_VERSION=$(curl -s https://go.dev/dl/?mode=json | jq -r '.[0].version')
-          
-          if [ -z "$LATEST_GO_VERSION" ] || [ "$LATEST_GO_VERSION" = "null" ]; then
-            echo "Error: Failed to fetch latest Go version from go.dev"
-            exit 1
-          fi
-          
-          echo "Latest Go version from go.dev: $LATEST_GO_VERSION"
-          echo "version=$LATEST_GO_VERSION" >> $GITHUB_OUTPUT
-          
-          # Extract version numbers (e.g., go1.26.0 -> 1.26.0)
-          LATEST_VERSION_NUM=$(echo $LATEST_GO_VERSION | sed 's/^go//')
-          echo "version_num=$LATEST_VERSION_NUM" >> $GITHUB_OUTPUT
-          
-          # Extract major.minor version (e.g., 1.26.0 -> 1.26)
-          LATEST_MAJOR_MINOR=$(echo $LATEST_VERSION_NUM | sed -E 's/^([0-9]+\.[0-9]+).*/\1/')
-          echo "major_minor=$LATEST_MAJOR_MINOR" >> $GITHUB_OUTPUT
-
-      - name: Check current Go version
-        id: current-version
-        run: |
-          CURRENT_VERSION=$(sed -n 's/.*go_sdk\.download(version = \"\([^\"]*\)\".*/\1/p' MODULE.bazel)
-          
-          if [ -z "$CURRENT_VERSION" ]; then
-            echo "Error: Could not extract Go version from MODULE.bazel"
-            exit 1
-          fi
-          
-          echo "Current Go version in MODULE.bazel: $CURRENT_VERSION"
-          echo "version=$CURRENT_VERSION" >> $GITHUB_OUTPUT
-          
-          # Extract major.minor version
-          CURRENT_MAJOR_MINOR=$(echo $CURRENT_VERSION | sed -E 's/^([0-9]+\.[0-9]+).*/\1/')
-          echo "major_minor=$CURRENT_MAJOR_MINOR" >> $GITHUB_OUTPUT
-
-      - name: Compare versions
-        id: compare
-        run: |
-          LATEST="${{ steps.fetch-version.outputs.version_num }}"
-          CURRENT="${{ steps.current-version.outputs.version }}"
-          
-          echo "Latest: $LATEST"
-          echo "Current: $CURRENT"
-          
-          if [ "$LATEST" = "$CURRENT" ]; then
-            echo "Go version is up to date"
-            echo "needs_update=false" >> $GITHUB_OUTPUT
-          else
-            echo "Go version needs update from $CURRENT to $LATEST"
-            echo "needs_update=true" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Update Go version in files
-        if: steps.compare.outputs.needs_update == 'true'
-        run: |
-          LATEST_VERSION_NUM="${{ steps.fetch-version.outputs.version_num }}"
-          LATEST_MAJOR_MINOR="${{ steps.fetch-version.outputs.major_minor }}"
-          CURRENT_VERSION="${{ steps.current-version.outputs.version }}"
-          CURRENT_MAJOR_MINOR="${{ steps.current-version.outputs.major_minor }}"
-          
-          echo "Updating from $CURRENT_VERSION to $LATEST_VERSION_NUM"
-          
-          # Escape dots in current version strings for use in sed patterns
-          CURRENT_VERSION_ESCAPED=$(echo "$CURRENT_VERSION" | sed 's/\./\\./g')
-          CURRENT_MAJOR_MINOR_ESCAPED=$(echo "$CURRENT_MAJOR_MINOR" | sed 's/\./\\./g')
-          
-          # Update MODULE.bazel
-          sed -i "s/go_sdk\.download(version = \"$CURRENT_VERSION_ESCAPED\")/go_sdk.download(version = \"$LATEST_VERSION_NUM\")/" MODULE.bazel
-          if ! grep -q "go_sdk.download(version = \"$LATEST_VERSION_NUM\")" MODULE.bazel; then
-            echo "Error: Failed to update MODULE.bazel"
-            exit 1
-          fi
-          
-          # Update go/extractor/go.mod
-          if ! sed -i "s/^go $CURRENT_MAJOR_MINOR_ESCAPED\$/go $LATEST_MAJOR_MINOR/" go/extractor/go.mod; then
-            echo "Warning: Failed to update go directive in go.mod"
-          fi
-          if ! sed -i "s/^toolchain go$CURRENT_VERSION_ESCAPED\$/toolchain go$LATEST_VERSION_NUM/" go/extractor/go.mod; then
-            echo "Warning: Failed to update toolchain in go.mod"
-          fi
-          
-          # Update go/extractor/autobuilder/build-environment.go
-          if ! sed -i "s/var maxGoVersion = util\.NewSemVer(\"$CURRENT_MAJOR_MINOR_ESCAPED\")/var maxGoVersion = util.NewSemVer(\"$LATEST_MAJOR_MINOR\")/" go/extractor/autobuilder/build-environment.go; then
-            echo "Warning: Failed to update build-environment.go"
-          fi
-          
-          # Update go/actions/test/action.yml
-          if ! sed -i "s/default: \"~$CURRENT_VERSION_ESCAPED\"/default: \"~$LATEST_VERSION_NUM\"/" go/actions/test/action.yml; then
-            echo "Warning: Failed to update action.yml"
-          fi
-          
-          # Show what changed
-          git diff
-
-      - name: Check for changes
-        id: check-changes
-        if: steps.compare.outputs.needs_update == 'true'
-        run: |
-          if git diff --quiet; then
-            echo "No changes detected"
-            echo "has_changes=false" >> $GITHUB_OUTPUT
-          else
-            echo "Changes detected"
-            echo "has_changes=true" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Check for existing PR
-        if: steps.check-changes.outputs.has_changes == 'true'
-        id: check-pr
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          BRANCH_NAME="workflow/go-version-update"
-          PR_NUMBER=$(gh pr list --head "$BRANCH_NAME" --state open --json number --jq '.[0].number')
-          
-          if [ -n "$PR_NUMBER" ]; then
-            echo "Existing PR found: #$PR_NUMBER"
-            echo "pr_exists=true" >> $GITHUB_OUTPUT
-            echo "pr_number=$PR_NUMBER" >> $GITHUB_OUTPUT
-          else
-            echo "No existing PR found"
-            echo "pr_exists=false" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Commit and push changes
-        if: steps.check-changes.outputs.has_changes == 'true'
-        run: |
-          BRANCH_NAME="workflow/go-version-update"
-          LATEST_VERSION_NUM="${{ steps.fetch-version.outputs.version_num }}"
-          LATEST_MAJOR_MINOR="${{ steps.fetch-version.outputs.major_minor }}"
-          
-          # Create or switch to branch
-          git checkout -B "$BRANCH_NAME"
-          
-          # Stage and commit changes
-          git add MODULE.bazel go/extractor/go.mod go/extractor/autobuilder/build-environment.go go/actions/test/action.yml
-          git commit -m "Go: Update to $LATEST_VERSION_NUM"
-          
-          # Push changes
-          git push --force-with-lease origin "$BRANCH_NAME"
-
-      - name: Create or update PR
-        if: steps.check-changes.outputs.has_changes == 'true'
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          BRANCH_NAME="workflow/go-version-update"
-          LATEST_VERSION_NUM="${{ steps.fetch-version.outputs.version_num }}"
-          CURRENT_VERSION="${{ steps.current-version.outputs.version }}"
-          
-          PR_TITLE="Go: Update to $LATEST_VERSION_NUM"
-          
-          PR_BODY=$(cat <<EOF
-          This PR updates Go from $CURRENT_VERSION to $LATEST_VERSION_NUM.
-
-          Updated files:
-          - \`MODULE.bazel\` - go_sdk.download version
-          - \`go/extractor/go.mod\` - go directive and toolchain
-          - \`go/extractor/autobuilder/build-environment.go\` - maxGoVersion (only if MAJOR.MINOR changes)
-          - \`go/actions/test/action.yml\` - default go-test-version
-
-          This PR was automatically created by the [Go version update workflow](https://github.com/${{ github.repository }}/blob/main/.github/workflows/go-version-update.yml).
-          EOF
-          )
-          
-          if [ "${{ steps.check-pr.outputs.pr_exists }}" = "true" ]; then
-            echo "Updating existing PR #${{ steps.check-pr.outputs.pr_number }}"
-            gh pr edit "${{ steps.check-pr.outputs.pr_number }}" --title "$PR_TITLE" --body "$PR_BODY"
-          else
-            echo "Creating new PR"
-            gh pr create \
-              --title "$PR_TITLE" \
-              --body "$PR_BODY" \
-              --base main \
-              --head "$BRANCH_NAME" \
-              --label "Go"
-          fi

MODULE.bazel

@@ -273,7 +273,7 @@ use_repo(
 )
 
 go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
-go_sdk.download(version = "1.26.4")
+go_sdk.download(version = "1.26.0")
 
 go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
 go_deps.from_file(go_mod = "//go/extractor:go.mod")

actions/ql/test/query-tests/Models/.github/workflows/reusable_workflow.yml

@@ -3,14 +3,14 @@ name: Reusable workflow example
 on:
   workflow_call:
     inputs:
-      config-path: # $ Source[actions/reusable-workflow-sinks] Source[actions/reusable-workflow-summaries]
+      config-path:
         required: true
         type: string
     outputs:
       workflow-output1:
-        value: ${{ jobs.job1.outputs.job-output1 }} # $ Alert[actions/reusable-workflow-summaries]
+        value: ${{ jobs.job1.outputs.job-output1 }}
       workflow-output2:
-        value: ${{ jobs.job1.outputs.job-output2 }} # $ Alert[actions/reusable-workflow-sources]
+        value: ${{ jobs.job1.outputs.job-output2 }}
     secrets:
       token:
         required: true
@@ -26,9 +26,9 @@ jobs:
         env:
           CONFIG_PATH: ${{ inputs.config-path }}
         run: |
-          echo ${{ inputs.config-path }} # $ Alert[actions/reusable-workflow-sinks]
+          echo ${{ inputs.config-path }}
           echo "::set-output name=step-output::$CONFIG_PATH"
       - name: Get changed files
         id: step2
-        uses: tj-actions/changed-files@v40 # $ Source[actions/reusable-workflow-sources]
+        uses: tj-actions/changed-files@v40
 

actions/ql/test/query-tests/Models/CompositeActionsSinks.expected

@@ -1,6 +1,3 @@
-#select
-| action1/action.yml:32:18:32:51 | steps.replace.outputs.value | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:32:18:32:51 | steps.replace.outputs.value | Sink |
-| action1/action.yml:35:25:35:50 | inputs.who-to-greet | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:25:35:50 | inputs.who-to-greet | Sink |
 edges
 | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:28:18:28:43 | inputs.who-to-greet | provenance |  |
 | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:25:35:50 | inputs.who-to-greet | provenance |  |
@@ -13,3 +10,6 @@ nodes
 | action1/action.yml:32:18:32:51 | steps.replace.outputs.value | semmle.label | steps.replace.outputs.value |
 | action1/action.yml:35:25:35:50 | inputs.who-to-greet | semmle.label | inputs.who-to-greet |
 subpaths
+#select
+| action1/action.yml:32:18:32:51 | steps.replace.outputs.value | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:32:18:32:51 | steps.replace.outputs.value | Sink |
+| action1/action.yml:35:25:35:50 | inputs.who-to-greet | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:25:35:50 | inputs.who-to-greet | Sink |

actions/ql/test/query-tests/Models/CompositeActionsSinks.qlref

@@ -1,2 +1 @@
-query: Models/CompositeActionsSinks.ql
-postprocess: utils/test/InlineExpectationsTestQuery.ql
+Models/CompositeActionsSinks.ql

actions/ql/test/query-tests/Models/CompositeActionsSources.expected

@@ -1,9 +1,3 @@
-#select
-| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Source |
-| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Source |
-| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source |
-| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source |
-| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source |
 edges
 | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | provenance |  |
 | action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | provenance |  |
@@ -19,3 +13,9 @@ nodes
 | action1/action.yml:44:7:48:70 | Run Step: source [tainted] | semmle.label | Run Step: source [tainted] |
 | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files |
 subpaths
+#select
+| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Source |
+| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Source |
+| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source |
+| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source |
+| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source |

actions/ql/test/query-tests/Models/CompositeActionsSources.qlref

@@ -1,2 +1,2 @@
-query: Models/CompositeActionsSources.ql
-postprocess: utils/test/InlineExpectationsTestQuery.ql
+Models/CompositeActionsSources.ql
+

actions/ql/test/query-tests/Models/CompositeActionsSummaries.expected

@@ -1,5 +1,3 @@
-#select
-| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Summary |
 edges
 | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:41:30:41:55 | inputs.who-to-greet | provenance |  |
 | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | provenance |  |
@@ -10,3 +8,5 @@ nodes
 | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | semmle.label | Run Step: reflector [reflected] |
 | action1/action.yml:41:30:41:55 | inputs.who-to-greet | semmle.label | inputs.who-to-greet |
 subpaths
+#select
+| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Summary |

actions/ql/test/query-tests/Models/CompositeActionsSummaries.qlref

@@ -1,2 +1,2 @@
-query: Models/CompositeActionsSummaries.ql
-postprocess: utils/test/InlineExpectationsTestQuery.ql
+Models/CompositeActionsSummaries.ql
+

actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.expected

@@ -1,5 +1,3 @@
-#select
-| .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | Sink |
 edges
 | .github/workflows/calling_workflow.yml:12:5:15:2 | Job: call2 [workflow-output1] | .github/workflows/calling_workflow.yml:35:20:35:62 | needs.call2.outputs.workflow-output1 | provenance |  |
 | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | provenance |  |
@@ -22,3 +20,5 @@ nodes
 | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | semmle.label | inputs.config-path |
 | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | semmle.label | inputs.config-path |
 subpaths
+#select
+| .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | Sink |

actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.qlref

@@ -1,2 +1,2 @@
-query: Models/ReusableWorkflowsSinks.ql
-postprocess: utils/test/InlineExpectationsTestQuery.ql
+Models/ReusableWorkflowsSinks.ql
+

actions/ql/test/query-tests/Models/ReusableWorkflowsSources.expected

@@ -1,5 +1,3 @@
-#select
-| .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | Source |
 edges
 | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | provenance |  |
 | .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | provenance |  |
@@ -10,3 +8,5 @@ nodes
 | .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | semmle.label | steps.step2.outputs.all_changed_files |
 | .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | semmle.label | Uses Step: step2 |
 subpaths
+#select
+| .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | Source |

actions/ql/test/query-tests/Models/ReusableWorkflowsSources.qlref

@@ -1,2 +1,2 @@
-query: Models/ReusableWorkflowsSources.ql
-postprocess: utils/test/InlineExpectationsTestQuery.ql
+Models/ReusableWorkflowsSources.ql
+

actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.expected

@@ -1,5 +1,3 @@
-#select
-| .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | Summary |
 edges
 | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | provenance |  |
 | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | provenance |  |
@@ -14,3 +12,5 @@ nodes
 | .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | semmle.label | Run Step: step1 [step-output] |
 | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | semmle.label | inputs.config-path |
 subpaths
+#select
+| .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | Summary |

actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.qlref

@@ -1,2 +1,2 @@
-query: Models/ReusableWorkflowsSummaries.ql
-postprocess: utils/test/InlineExpectationsTestQuery.ql
+Models/ReusableWorkflowsSummaries.ql
+

actions/ql/test/query-tests/Models/action1/action.yml

@@ -1,17 +1,17 @@
 name: 'Hello World'
 description: 'Greet someone'
 inputs:
-  who-to-greet:  # id of input # $ Source[actions/composite-action-sinks] Source[actions/composite-action-summaries]
+  who-to-greet:  # id of input
     description: 'Who to greet'
     required: true
     default: 'World'
 outputs:
   reflected:
     description: "Reflected input"
-    value: ${{ steps.reflector.outputs.reflected }} # $ Alert[actions/composite-action-sources] Alert[actions/composite-action-summaries]
+    value: ${{ steps.reflector.outputs.reflected }}
   tainted:
     description: "Reflected input"
-    value: ${{ steps.source.outputs.tainted}} # $ Alert[actions/composite-action-sources]
+    value: ${{ steps.source.outputs.tainted}}
 
 runs:
   using: "composite"
@@ -29,23 +29,23 @@ runs:
         find: 'foo'
         replace: ''
     - id: sink 
-      run: echo ${{ steps.replace.outputs.value }} # $ Alert[actions/composite-action-sinks]
+      run: echo ${{ steps.replace.outputs.value }}
       shell: bash
     - name: Vulnerable Set Greeting
-      run: echo "Hello ${{ inputs.who-to-greet }}." # $ Alert[actions/composite-action-sinks]
+      run: echo "Hello ${{ inputs.who-to-greet }}."
       shell: bash
     - id: reflector 
       run: echo "reflected=$(echo $INPUT_WHO_TO_GREET)" >> $GITHUB_OUTPUT
       shell: bash
       env:
-        INPUT_WHO_TO_GREET: ${{ inputs.who-to-greet }} # $ Source[actions/composite-action-sources]
+        INPUT_WHO_TO_GREET: ${{ inputs.who-to-greet }}
     - id: changed-files
       uses: tj-actions/changed-files@v40
-    - id: source # $ Source[actions/composite-action-sources]
+    - id: source
       run: echo "tainted=$(echo $TAINTED)" >> $GITHUB_OUTPUT
       shell: bash
       env:
-        TAINTED: ${{ steps.changed-files.outputs.all_changed_files }} # $ Source[actions/composite-action-sources]
+        TAINTED: ${{ steps.changed-files.outputs.all_changed_files }}
 
 
 

actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output1.yml

@@ -6,11 +6,11 @@ jobs:
     steps:
       - id: clob1
         env:
-          BODY: ${{ github.event.comment.body }} # $ Source
+          BODY: ${{ github.event.comment.body }}
         run: |
           # VULNERABLE
           echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT
-          echo "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT # $ Alert
+          echo "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT
       - id: clob2
         run: |
           echo ${{ steps.clob1.outputs.OUTPUT_1 }}
@@ -32,8 +32,8 @@ jobs:
         with:
           run_id: ${{ github.event.workflow_run.id }}
           name: pr_number 
-      - id: clob1 # $ Source
+      - id: clob1
         run: |
           # VULNERABLE
           echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT
-          echo "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT # $ Alert
+          echo "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT

actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output2.yml

@@ -6,18 +6,18 @@ jobs:
     steps:
       - id: clob1
         env:
-          BODY: ${{ github.event.comment.body }} # $ Source
+          BODY: ${{ github.event.comment.body }}
         run: |
           # VULNERABLE
           echo $BODY
-          echo "::set-output name=OUTPUT::SAFE" # $ Alert
+          echo "::set-output name=OUTPUT::SAFE"
       - id: clob2
         env:
-          BODY: ${{ github.event.comment.body }} # $ Source
+          BODY: ${{ github.event.comment.body }}
         run: |
           # VULNERABLE
           echo "::set-output name=OUTPUT::SAFE"
-          echo $BODY # $ Alert
+          echo $BODY
       - id: clob3
         run: |
           echo ${{ steps.clob1.outputs.OUTPUT }}
@@ -38,25 +38,25 @@ jobs:
         with:
           run_id: ${{ github.event.workflow_run.id }}
           name: pr_number 
-      - id: clob1 # $ Source
+      - id: clob1
         run: |
           # VULNERABLE
           PR="$(<pr-number)"
           echo "$PR"
-          echo "::set-output name=OUTPUT::SAFE" # $ Alert
+          echo "::set-output name=OUTPUT::SAFE"
       - id: clob2
         run: |
           # VULNERABLE
           cat pr-number
-          echo "::set-output name=OUTPUT::SAFE" # $ Alert
+          echo "::set-output name=OUTPUT::SAFE"
       - id: clob3
         run: |
           # VULNERABLE
           echo "::set-output name=OUTPUT::SAFE"
-          ls *.txt # $ Alert
+          ls *.txt
       - id: clob4
         run: |
           # VULNERABLE
           CURRENT_VERSION=$(cat gradle.properties | sed -n '/^version=/ { s/^version=//;p }')
           echo "$CURRENT_VERSION"
-          echo "::set-output name=OUTPUT::SAFE" # $ Alert
+          echo "::set-output name=OUTPUT::SAFE"

actions/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.expected

@@ -1,12 +1,3 @@
-#select
-| .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n |
-| .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n |
-| .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n |
-| .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | .github/workflows/output2.yml:16:18:16:49 | github.event.comment.body | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n |
-| .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n |
-| .github/workflows/output2.yml:48:14:51:48 | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:48:14:51:48 | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:48:14:51:48 | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n |
-| .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n |
-| .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n |
 edges
 | .github/workflows/output1.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | provenance | Config |
 | .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n | provenance | Config |
@@ -31,3 +22,12 @@ nodes
 | .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | semmle.label | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n |
 | .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | semmle.label | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n |
 subpaths
+#select
+| .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n |
+| .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n |
+| .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n |
+| .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | .github/workflows/output2.yml:16:18:16:49 | github.event.comment.body | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n |
+| .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n |
+| .github/workflows/output2.yml:48:14:51:48 | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:48:14:51:48 | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:48:14:51:48 | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n |
+| .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n |
+| .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n |

actions/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.qlref

@@ -1,2 +1 @@
-query: experimental/Security/CWE-074/OutputClobberingHigh.ql
-postprocess: utils/test/InlineExpectationsTestQuery.ql
+experimental/Security/CWE-074/OutputClobberingHigh.ql

actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning51.yml

@@ -12,9 +12,9 @@ jobs:
     steps:
       - run: |
           gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name"
-      - name: Unzip # $ Source[actions/envvar-injection/critical]
+      - name: Unzip
         run: |
           unzip artifact_name.zip -d foo
       - name: Env Var Injection
         run: |
-          echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV

actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning52.yml

@@ -12,14 +12,14 @@ jobs:
     steps:
       - run: |
           gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name"
-      - name: Unzip # $ Source[actions/envvar-injection/critical]
+      - name: Unzip
         run: |
           unzip artifact_name.zip -d foo
       - name: Env Var Injection
         run: |
           echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"
           cat foo >> "$GITHUB_ENV"
-          echo "EOF" >> "${GITHUB_ENV}" # $ Alert[actions/envvar-injection/critical]
+          echo "EOF" >> "${GITHUB_ENV}"
 
 
 

actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning53.yml

@@ -12,7 +12,7 @@ jobs:
     steps:
       - run: |
           gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name"
-      - name: Unzip # $ Source[actions/envvar-injection/critical]
+      - name: Unzip
         run: |
           unzip artifact_name.zip -d foo
       - run: |
@@ -20,7 +20,7 @@ jobs:
             echo 'JSON_RESPONSE<<EOF'
             cat foo
             echo EOF
-          } >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical]
+          } >> "$GITHUB_ENV"
 
 
 

actions/ql/test/query-tests/Security/CWE-077/.github/workflows/path1.yml

@@ -10,23 +10,23 @@ jobs:
 
       - run: echo "${{ github.event.pull_request.title }}" >> $GITHUB_PATH
       - env: 
-          PATHINJ: ${{ github.event.pull_request.title }} # $ Source[actions/envpath-injection/critical]
-        run: echo $(echo "$PATHINJ") >> $GITHUB_PATH # $ Alert[actions/envpath-injection/critical]
+          PATHINJ: ${{ github.event.pull_request.title }}
+        run: echo $(echo "$PATHINJ") >> $GITHUB_PATH
       - env: 
-          PATHINJ: ${{ github.event.pull_request.title }} # $ Source[actions/envpath-injection/critical]
-        run: echo $PATHINJ >> $GITHUB_PATH # $ Alert[actions/envpath-injection/critical]
+          PATHINJ: ${{ github.event.pull_request.title }}
+        run: echo $PATHINJ >> $GITHUB_PATH
       - env: 
-          PATHINJ: ${{ github.event.pull_request.title }} # $ Source[actions/envpath-injection/critical]
-        run: echo ${PATHINJ} >> $GITHUB_PATH # $ Alert[actions/envpath-injection/critical]
+          PATHINJ: ${{ github.event.pull_request.title }}
+        run: echo ${PATHINJ} >> $GITHUB_PATH
       - uses: dawidd6/action-download-artifact@v2
         with:
           name: artifact_name
           path: foo
-      - run: echo "$(cat foo/bar)" >> $GITHUB_PATH # $ Alert[actions/envpath-injection/critical] Source[actions/envpath-injection/critical]
+      - run: echo "$(cat foo/bar)" >> $GITHUB_PATH
       - env:
           ACTIONS_ALLOW_UNSECURE_COMMANDS: true
-          PATHINJ: ${{ github.event.pull_request.title }} # $ Source[actions/envpath-injection/critical]
-        run: echo "::add-path::$PATHINJ" # $ Alert[actions/envpath-injection/critical]
+          PATHINJ: ${{ github.event.pull_request.title }}
+        run: echo "::add-path::$PATHINJ"
 
 
 

actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test10.yml

@@ -23,6 +23,6 @@ jobs:
           ref: ${{steps.decide-ref.outputs.ref}}
           path: "foo"
 
-      - name: Read Java Config # $ Source[actions/envvar-injection/critical]
-        run: cat foo/.github/java-config.env >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+      - name: Read Java Config
+        run: cat foo/.github/java-config.env >> $GITHUB_ENV
   

actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test11.yml

@@ -18,11 +18,11 @@ jobs:
           run_id: ${{ github.event.workflow_run.id }}
           name: runtime-versions.md
 
-      - name: "Put runtime versions on the environment" # $ Source[actions/envvar-injection/critical]
+      - name: "Put runtime versions on the environment"
         id: runtime_versions
         run: |
           {
             echo 'RUNTIME_VERSIONS<<EOF'
             cat runtime-versions.md
             echo EOF
-          } >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical]
+          } >> "$GITHUB_ENV"

actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test12.yml

@@ -43,14 +43,14 @@ jobs:
           run_id: ${{ github.event.workflow_run.id }}
           name: runtime-versions.md
 
-      - name: "Put runtime versions on the environment" # $ Source[actions/envvar-injection/critical]
+      - name: "Put runtime versions on the environment"
         id: runtime_versions
         run: |
           {
             echo 'RUNTIME_VERSIONS<<EOF'
             cat runtime-versions.md
             echo EOF
-          } >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical]
+          } >> "$GITHUB_ENV"
 
       - name: "Download pre-release report"
         uses: dawidd6/action-download-artifact@v2
@@ -58,14 +58,14 @@ jobs:
           run_id: ${{ github.event.workflow_run.id }}
           name: prerelease-report.md
 
-      - name: "Put pre-release report on the environment" # $ Source[actions/envvar-injection/critical]
+      - name: "Put pre-release report on the environment"
         id: prerelease_report
         run: |
           {
             echo 'PRERELEASE_REPORT<<EOF'
             cat prerelease-report.md
             echo EOF
-          } >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical]
+          } >> "$GITHUB_ENV"
 
       - name: "Comment on PR with Wrangler link"
         uses: marocchino/sticky-pull-request-comment@v2

actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test13.yml

@@ -17,7 +17,7 @@ jobs:
       - name: Get commit message
         run: |
           COMMIT_MESSAGE=$(git log --format=%s)
-          echo "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV
       - name: Get commit message
         run: |
-          echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV

actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test14.yml

@@ -12,7 +12,7 @@ jobs:
           ref: ${{ github.event.pull_request.head.sha }}
       - id: changed-files
         run: |
-          echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical]
+          echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"
       - run: echo "${{ env.CHANGED-FILES }}"
   test2:
     runs-on: ubuntu-latest
@@ -23,7 +23,7 @@ jobs:
       - id: changed-files
         run: |
           FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)
-          echo "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical]
+          echo "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"
       - run: echo "${{ env.CHANGED-FILES }}"
 
 

actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test15.yml

@@ -9,7 +9,7 @@ jobs:
     steps:
       - id: title 
         run: |
-          echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical]
+          echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"
       - run: echo "$TITLE"
   test2:
     runs-on: ubuntu-latest
@@ -17,7 +17,7 @@ jobs:
       - id: title 
         run: |
           PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})
-          echo "BODY=$PR_BODY" >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical]
+          echo "BODY=$PR_BODY" >> "$GITHUB_ENV"
       - run: echo "$TITLE"
   test3:
     runs-on: ubuntu-latest

actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test16.yml

@@ -12,12 +12,12 @@ jobs:
         with:
           workflow: ${{ github.event.workflow_run.workflow_id }}
           name: pr_metadata
-      - run: | # $ Source[actions/envvar-injection/critical]
-          # VULNERABLE
-          echo "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
       - run: |
           # VULNERABLE
-          echo "PR_NUMBER=$(cat pr_number.txt | tr ',' '\n')" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV
+      - run: |
+          # VULNERABLE
+          echo "PR_NUMBER=$(cat pr_number.txt | tr ',' '\n')" >> $GITHUB_ENV
       - run: |
           # NOT VULNERABLE
           echo "PR_NUMBER=$(cat pr_number.txt | tr '\n' ' ')" >> $GITHUB_ENV

actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test2.yml

@@ -38,6 +38,6 @@ jobs:
             });
             var fs = require('fs');
             fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(downloadPr.data));
-      - run: | # $ Source[actions/envvar-injection/critical]
+      - run: |
           unzip pr.zip
-          echo "pr_number=$(cat NR)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo "pr_number=$(cat NR)" >> $GITHUB_ENV

actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test3.yml

@@ -17,7 +17,7 @@ jobs:
         workflow_conclusion: ''
         name: pr_metadata
         if_no_artifact_found: 'ignore'
-    - run: | # $ Source[actions/envvar-injection/critical]
+    - run: |
          echo "PR_NUMBER=$(cat pr_number.txt | jq -r .)" >> $GITHUB_ENV
          echo "PR_HEAD_REPO=$(cat pr_head_repo.txt | jq -Rr .)" >> $GITHUB_ENV
-         echo "PR_HEAD_REF=$(cat pr_head_ref.txt | jq -Rr .)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+         echo "PR_HEAD_REF=$(cat pr_head_ref.txt | jq -Rr .)" >> $GITHUB_ENV

actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml

@@ -8,43 +8,43 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - env:
-          TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
+          TITLE: ${{ github.event.pull_request.title }}
         run: |
-          echo "PR_TITLE=$TITLE" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo "PR_TITLE=$TITLE" >> $GITHUB_ENV
       - env:
-          TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
+          TITLE: ${{ github.event.pull_request.title }}
         run: |
-          echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV
       - env:
-          TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
+          TITLE: ${{ github.event.pull_request.title }}
         run: |
-          echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV
       - env:
-          TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
+          TITLE: ${{ github.event.pull_request.title }}
         run: |
           echo "PR_TITLE<<EOF" >> $GITHUB_ENV
           echo "$TITLE" >> $GITHUB_ENV
-          echo "EOF" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo "EOF" >> $GITHUB_ENV
       - env:
-          TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
+          TITLE: ${{ github.event.pull_request.title }}
         run: |
           echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"
           echo "$TITLE" >> "${GITHUB_ENV}"
-          echo "EOF" >> "${GITHUB_ENV}" # $ Alert[actions/envvar-injection/critical]
+          echo "EOF" >> "${GITHUB_ENV}"
       - env:
-          TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
+          TITLE: ${{ github.event.pull_request.title }}
         run: |
           {
             echo 'JSON_RESPONSE<<EOF'
             echo "$TITLE"
             echo EOF
-          } >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical]
+          } >> "$GITHUB_ENV"
       - env:
-          TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
+          TITLE: ${{ github.event.pull_request.title }}
         run: |
           cat <<-EOF >> "$GITHUB_ENV"
           FOO=$TITLE
-          EOF # $ Alert[actions/envvar-injection/critical]
+          EOF
       - env:
           TITLE: ${{ github.event.pull_request.head.ref }}
         run: |
@@ -52,12 +52,12 @@ jobs:
       - run: echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV
         env:
           TARGET_BRANCH: ${{ github.head_ref }}
-      - run: echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+      - run: echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV
         env:
-          TARGET_BRANCH: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
-      - run: echo ISSUE_KEY=$(echo "${TITLE}" | grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          TARGET_BRANCH: ${{ github.event.pull_request.title }}
+      - run: echo ISSUE_KEY=$(echo "${TITLE}" | grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV
         env:
-          TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
+          TITLE: ${{ github.event.pull_request.title }}
       - env:
           TITLE: |-
             ${{ github.event.pull_request.title }}

actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test5.yml

@@ -27,10 +27,10 @@ jobs:
             });
             let fs = require('fs');
             fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/oc-code-coverage.zip`, Buffer.from(download.data));
-      - name: 'Unzip code coverage' # $ Source[actions/envvar-injection/critical]
+      - name: 'Unzip code coverage'
         run: unzip oc-code-coverage.zip -d coverage
       - name: set env vars 
         run: | 
           echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV
           echo "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV
-          echo "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV

actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test6.yml

@@ -8,20 +8,20 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - env:
-          TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
+          TITLE: ${{ github.event.pull_request.title }}
         run: |
           FOO=${TITLE##*/}
-          echo PR_TITLE=${FOO} >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo PR_TITLE=${FOO} >> $GITHUB_ENV
       - env:
-          TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
+          TITLE: ${{ github.event.pull_request.title }}
         run: |
           FOO=$TITLE+
-          echo PR_TITLE=$FOO >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo PR_TITLE=$FOO >> $GITHUB_ENV
       - env:
-          TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
+          TITLE: ${{ github.event.pull_request.title }}
         run: |
           venv="$(echo $TITLE)')"
-          echo "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV
 
 
 

actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test7.yml

@@ -13,7 +13,7 @@ jobs:
             run_id: ${{github.event.workflow_run.id}}
             name: artifact
 
-      - name: Load .env file # $ Source[actions/envvar-injection/critical]
+      - name: Load .env file
         uses: aarcangeli/load-dotenv@v1.0.0
         with:
           path: 'backend/new'
@@ -21,5 +21,5 @@ jobs:
             .env
             .env.test
           quiet: false
-          if-file-not-found: error # $ Alert[actions/envvar-injection/critical]
+          if-file-not-found: error
 

actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test8.yml

@@ -27,13 +27,13 @@ jobs:
           run_id: ${{ github.event.workflow_run.id }}
           path: ./artifacts
 
-      - name: assignment # $ Source[actions/envvar-injection/critical]
+      - name: assignment
         run: |
           foo=$(cat ./artifacts/parent-artifacts/event.txt)
-          echo "foo=$foo" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo "foo=$foo" >> $GITHUB_ENV
       - name: direct 1 
         run: |
-          echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV
       - name: direct 2
         run: |
-          echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV

actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test9.yml

@@ -24,7 +24,7 @@ jobs:
           name: event_file
           path: artifacts/event_file
 
-      - name: Try to read PR number # $ Source[actions/envvar-injection/critical]
+      - name: Try to read PR number
         id: set-ref
         run: |
           pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)
@@ -38,4 +38,4 @@ jobs:
           fi
 
           echo "pr_num=$pr_num" >> $GITHUB_ENV
-          echo "ref=$ref" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo "ref=$ref" >> $GITHUB_ENV

actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected

@@ -1,9 +1,3 @@
-#select
-| .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
 edges
 | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | provenance | Config |
 | .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | provenance | Config |
@@ -22,3 +16,9 @@ nodes
 | .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
 | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | semmle.label | echo "::add-path::$PATHINJ" |
 subpaths
+#select
+| .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |

actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.qlref

@@ -1,2 +1 @@
-query: Security/CWE-077/EnvPathInjectionCritical.ql
-postprocess: utils/test/InlineExpectationsTestQuery.ql
+Security/CWE-077/EnvPathInjectionCritical.ql

actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected

@@ -1,4 +1,3 @@
-#select
 edges
 | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | provenance | Config |
 | .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | provenance | Config |
@@ -17,3 +16,4 @@ nodes
 | .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
 | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | semmle.label | echo "::add-path::$PATHINJ" |
 subpaths
+#select

actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.qlref

@@ -1,2 +1 @@
-query: Security/CWE-077/EnvPathInjectionMedium.ql
-postprocess: utils/test/InlineExpectationsTestQuery.ql
+Security/CWE-077/EnvPathInjectionMedium.ql

actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected

@@ -1,40 +1,3 @@
-#select
-| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  cat foo\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  cat foo\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  cat foo\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'JSON_RESPONSE<<EOF'\n  cat foo\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:3:3:3:14 | workflow_run | workflow_run |
-| .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:3:3:3:14 | workflow_run | workflow_run |
-| .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/test4.yml:36:14:41:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo "$TITLE"\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo "$TITLE"\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:36:14:41:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo "$TITLE"\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo "$TITLE"\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:3:3:3:14 | workflow_run | workflow_run |
-| .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/test7.yml:16:9:24:35 | Uses Step | .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Uses Step | .github/workflows/test7.yml:4:5:4:16 | workflow_run | workflow_run |
-| .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/test11.yml:23:14:28:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test11.yml:23:14:28:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test11.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/test12.yml:48:14:53:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:48:14:53:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:3:3:3:21 | pull_request_target | pull_request_target |
-| .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:3:3:3:21 | pull_request_target | pull_request_target |
-| .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | .github/workflows/test16.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | .github/workflows/test16.yml:4:3:4:14 | workflow_run | workflow_run |
 edges
 | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | Config |
 | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config |
@@ -129,3 +92,40 @@ nodes
 | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n |
 | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n |
 subpaths
+#select
+| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  cat foo\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  cat foo\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  cat foo\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'JSON_RESPONSE<<EOF'\n  cat foo\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:3:3:3:14 | workflow_run | workflow_run |
+| .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:3:3:3:14 | workflow_run | workflow_run |
+| .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/test4.yml:36:14:41:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo "$TITLE"\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo "$TITLE"\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:36:14:41:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo "$TITLE"\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo "$TITLE"\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:3:3:3:14 | workflow_run | workflow_run |
+| .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/test7.yml:16:9:24:35 | Uses Step | .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Uses Step | .github/workflows/test7.yml:4:5:4:16 | workflow_run | workflow_run |
+| .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/test11.yml:23:14:28:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test11.yml:23:14:28:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test11.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/test12.yml:48:14:53:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:48:14:53:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:3:3:3:21 | pull_request_target | pull_request_target |
+| .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:3:3:3:21 | pull_request_target | pull_request_target |
+| .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | .github/workflows/test16.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | .github/workflows/test16.yml:4:3:4:14 | workflow_run | workflow_run |

actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.qlref

@@ -1,2 +1 @@
-query: Security/CWE-077/EnvVarInjectionCritical.ql
-postprocess: utils/test/InlineExpectationsTestQuery.ql
+Security/CWE-077/EnvVarInjectionCritical.ql

actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected

@@ -1,4 +1,3 @@
-#select
 edges
 | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | Config |
 | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config |
@@ -93,3 +92,4 @@ nodes
 | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n |
 | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n |
 subpaths
+#select

actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.qlref

@@ -1,2 +1 @@
-query: Security/CWE-077/EnvVarInjectionMedium.ql
-postprocess: utils/test/InlineExpectationsTestQuery.ql
+Security/CWE-077/EnvVarInjectionMedium.ql

actions/ql/test/query-tests/Security/CWE-078/.github/workflows/comment_issue.yml

@@ -6,4 +6,4 @@ jobs:
     steps:
       - uses: ruby/setup-ruby@v2
         with:
-          ruby-version: ${{ github.event.comment.body }} # $ Alert[actions/command-injection/critical]
+          ruby-version: ${{ github.event.comment.body }}

actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected

@@ -1,6 +1,6 @@
-#select
-| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential command injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment |
 edges
 nodes
 | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body |
 subpaths
+#select
+| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential command injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment |

actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.qlref

@@ -1,2 +1 @@
-query: experimental/Security/CWE-078/CommandInjectionCritical.ql
-postprocess: utils/test/InlineExpectationsTestQuery.ql
+experimental/Security/CWE-078/CommandInjectionCritical.ql

actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected

@@ -1,5 +1,5 @@
-#select
 edges
 nodes
 | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body |
 subpaths
+#select

actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.qlref

@@ -1,2 +1 @@
-query: experimental/Security/CWE-078/CommandInjectionMedium.ql
-postprocess: utils/test/InlineExpectationsTestQuery.ql
+experimental/Security/CWE-078/CommandInjectionMedium.ql

actions/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml

@@ -7,7 +7,7 @@ jobs:
   test1:
     runs-on: ubuntu-latest
     env:
-      TITLE: ${{github.event.pull_request.title}} # $ Source[actions/argument-injection/critical]
+      TITLE: ${{github.event.pull_request.title}}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -18,50 +18,50 @@ jobs:
           echo "s/FOO/$TITLE/g"
       - run: |
           # VULNERABLE
-          sed "s/FOO/$TITLE/g" # $ Alert[actions/argument-injection/critical]
+          sed "s/FOO/$TITLE/g"
       - run: |
           # VULNERABLE
-          echo "foo" | sed "s/FOO/$TITLE/g" > bar # $ Alert[actions/argument-injection/critical]
+          echo "foo" | sed "s/FOO/$TITLE/g" > bar
       - run: |
           # VULNERABLE
-          echo $(echo "foo" | sed "s/FOO/$TITLE/g" > bar) # $ Alert[actions/argument-injection/critical]
+          echo $(echo "foo" | sed "s/FOO/$TITLE/g" > bar)
       - run: |
           # VULNERABLE
-          awk "BEGIN {$TITLE}" # $ Alert[actions/argument-injection/critical]
+          awk "BEGIN {$TITLE}"
       - run: |
           # VULNERABLE
-          sed -i "s/git_branch = .*/git_branch = \"$GITHUB_HEAD_REF\"/" config.json # $ Alert[actions/argument-injection/critical]
+          sed -i "s/git_branch = .*/git_branch = \"$GITHUB_HEAD_REF\"/" config.json
       - run: |
           # VULNERABLE
-          sed -i "s|git_branch = .*|git_branch = \"$GITHUB_HEAD_REF\"|" config.json # $ Alert[actions/argument-injection/critical]
+          sed -i "s|git_branch = .*|git_branch = \"$GITHUB_HEAD_REF\"|" config.json
       - run: |
           # VULNERABLE
           sed -e 's#<branch_to_sync>#${TITLE}#' \
               -e 's#<sot_repo>#${{ env.sot_repo }}#' \
               -e 's#<destination_repo>#TITLE#' \
-              .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky # $ Alert[actions/argument-injection/critical]
+              .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky
       - run: |
           # VULNERABLE
           sed -e 's#<branch_to_sync>#TITLE#' \
               -e 's#<sot_repo>#${{ env.sot_repo }}#' \
               -e 's#<destination_repo>#${TITLE}#' \
-              .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky # $ Alert[actions/argument-injection/critical]
+              .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky
       - run: |
           # VULNERABLE
           BODY=$(git log --format=%s)
-          sed "s/FOO/$BODY/g" > /tmp/foo # $ Alert[actions/argument-injection/critical]
+          sed "s/FOO/$BODY/g" > /tmp/foo
       - run: |
           # VULNERABLE
           BODY=$(git diff --name-only HEAD)
-          sed "s/FOO/$BODY/g" > /tmp/foo # $ Alert[actions/argument-injection/critical]
+          sed "s/FOO/$BODY/g" > /tmp/foo
       - run: |
           # VULNERABLE
           BODY=$(git diff --name-only HEAD )
-          sed "s/FOO/$BODY/g" > /tmp/foo # $ Alert[actions/argument-injection/critical]
+          sed "s/FOO/$BODY/g" > /tmp/foo
       - run: |
           # VULNERABLE
           BODY=$(git diff --name-only HEAD^ | xargs)
-          sed "s/FOO/$BODY/g" > /tmp/foo # $ Alert[actions/argument-injection/critical]
+          sed "s/FOO/$BODY/g" > /tmp/foo
       - run: |
           # NOT VULNERABLE
           echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT

actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected

@@ -1,16 +1,3 @@
-#select
-| .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | awk | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#TITLE#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#TITLE#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#TITLE#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#${TITLE}#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#${TITLE}#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#${TITLE}#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 edges
 | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | provenance | Config |
 | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | provenance | Config |
@@ -33,3 +20,16 @@ nodes
 | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n |
 | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n |
 subpaths
+#select
+| .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | awk | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#TITLE#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#TITLE#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#TITLE#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#${TITLE}#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#${TITLE}#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#${TITLE}#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |

actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.qlref

@@ -1,2 +1 @@
-query: experimental/Security/CWE-088/ArgumentInjectionCritical.ql
-postprocess: utils/test/InlineExpectationsTestQuery.ql
+experimental/Security/CWE-088/ArgumentInjectionCritical.ql

actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected

@@ -1,4 +1,3 @@
-#select
 edges
 | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | provenance | Config |
 | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | provenance | Config |
@@ -21,3 +20,4 @@ nodes
 | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n |
 | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n |
 subpaths
+#select

actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.qlref

@@ -1,2 +1 @@
-query: experimental/Security/CWE-088/ArgumentInjectionMedium.ql
-postprocess: utils/test/InlineExpectationsTestQuery.ql
+experimental/Security/CWE-088/ArgumentInjectionMedium.ql

actions/ql/test/query-tests/Security/CWE-094/.github/actions/action1/action.yml

@@ -4,4 +4,4 @@ runs:
   using: 'composite'
   steps:
     - shell: bash
-      run: echo '${{ github.event.pull_request.body }}' # $ Alert[actions/code-injection/critical]
+      run: echo '${{ github.event.pull_request.body }}'

actions/ql/test/query-tests/Security/CWE-094/.github/actions/action3/action.yml

@@ -6,4 +6,4 @@ runs:
     - shell: bash
       env:
         FOO: ${{ secrets.FOO}}
-      run: echo '${{ github.event.pull_request.body }}' # $ Alert[actions/code-injection/medium]
+      run: echo '${{ github.event.pull_request.body }}'

actions/ql/test/query-tests/Security/CWE-094/.github/actions/action4/action.yml

@@ -4,4 +4,4 @@ runs:
   using: 'composite'
   steps:
     - shell: bash
-      run: echo '${{ github.event.pull_request.body }}' # $ Alert[actions/code-injection/medium]
+      run: echo '${{ github.event.pull_request.body }}'

actions/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml

@@ -16,7 +16,7 @@ runs:
   using: 'composite'
   steps:
     - shell: bash
-      run: echo '${{ github.event.issue.body }}' # $ Alert[actions/code-injection/critical]
+      run: echo '${{ github.event.issue.body }}'
     - name: Step
       id: step 
       env:
@@ -25,10 +25,10 @@ runs:
       run: echo "result=$(echo $FOO)" >> $GITHUB_OUTPUT
     - id: step2
       env:
-        FOO2: ${{ github.event.issue.body }} # $ Source[actions/code-injection/critical]
+        FOO2: ${{ github.event.issue.body }}
       shell: bash
       run: echo "result2=$(echo $FOO2)" >> $GITHUB_OUTPUT
     - name: Sink
       id: sink
       shell: bash
-      run: echo "${{ inputs.taint }}" # $ Alert[actions/code-injection/critical]
+      run: echo "${{ inputs.taint }}"

actions/ql/test/query-tests/Security/CWE-094/.github/actions/action6/action.yml

@@ -213,7 +213,7 @@ runs:
       run: |
         git config --global user.name "${{ inputs.github_username }}"
         git config --global user.email "${{ inputs.github_email }}"
-        git pull origin ${{ github.head_ref || github.ref }} # $ Alert[actions/code-injection/critical]
+        git pull origin ${{ github.head_ref || github.ref }}
         git add .
         git reset HEAD -- .github/workflows/  # workflow changes are not permitted with default token
         if ! git diff --staged --quiet; then

actions/ql/test/query-tests/Security/CWE-094/.github/actions/action7/action.yml

@@ -74,7 +74,7 @@ runs:
       #   pip install -q git+https://github.com/ultralytics/actions@main codespell tomli
       run: |
         packages="ultralytics-actions"
-        if [ "${{ inputs.spelling }}" = "true" ]; then # $ Alert[actions/code-injection/medium]
+        if [ "${{ inputs.spelling }}" = "true" ]; then
           packages="$packages codespell tomli"
         fi
 
@@ -211,10 +211,10 @@ runs:
     - name: Commit and Push Changes
       if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && github.event.action != 'closed'
       run: |
-        git config --global user.name "${{ inputs.github_username }}" # $ Alert[actions/code-injection/medium]
-        git config --global user.email "${{ inputs.github_email }}" # $ Alert[actions/code-injection/medium]
+        git config --global user.name "${{ inputs.github_username }}"
+        git config --global user.email "${{ inputs.github_email }}"
         # this action is not called in the test
-        git pull origin ${{ github.head_ref || github.ref }} # $ Alert[actions/code-injection/medium]
+        git pull origin ${{ github.head_ref || github.ref }}
         git add .
         git reset HEAD -- .github/workflows/  # workflow changes are not permitted with default token
         if ! git diff --staged --quiet; then

actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml

@@ -19,7 +19,7 @@ runs:
   using: composite
   steps:
     - shell: bash
-      run: echo "${{ inputs.title }}" # $ Alert[actions/code-injection/critical]
+      run: echo "${{ inputs.title }}"
     - uses: frabert/replace-string-action@v2.5
       id: out 
       with:

actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/ultralytics/actions/action.yaml

@@ -93,7 +93,7 @@ runs:
       shell: bash
     - shell: bash
       run: |
-        echo "${{ inputs.body }}" # $ Alert[actions/code-injection/critical]
+        echo "${{ inputs.body }}"
 
     # Checkout Repository ----------------------------------------------------------------------------------------------
     - name: Checkout Repository
@@ -220,7 +220,7 @@ runs:
       run: |
         git config --global user.name "${{ inputs.github_username }}"
         git config --global user.email "${{ inputs.github_email }}"
-        git pull origin ${{ github.head_ref || github.ref }} # $ Alert[actions/code-injection/critical]
+        git pull origin ${{ github.head_ref || github.ref }}
         git add .
         git reset HEAD -- .github/workflows/  # workflow changes are not permitted with default token
         if ! git diff --staged --quiet; then

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/argus_case_study.yml

@@ -14,7 +14,7 @@ jobs:
       - uses: actions/checkout@v2
       - name: Remove conflicting chars
         env:
-          ISSUE_TITLE: ${{github.event.issue.title}} # $ Source[actions/code-injection/critical]
+          ISSUE_TITLE: ${{github.event.issue.title}}
         uses: frabert/replace-string-action@1.2
         id: remove_quotations
         with:
@@ -24,6 +24,6 @@ jobs:
       - name: Check info
         id: check-info
         run: |
-          echo "foo $(pwsh bar ${{steps.remove_quotations.outputs.replaced}}) " >> $GITHUB_ENV # $ Alert[actions/code-injection/critical]
+          echo "foo $(pwsh bar ${{steps.remove_quotations.outputs.replaced}}) " >> $GITHUB_ENV
 
 

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml

@@ -17,12 +17,12 @@ jobs:
           workflow: ${{ github.event.workflow_run.workflow_id }}
           name: pr
 
-      - name: save PR id # $ Source[actions/code-injection/critical]
+      - name: save PR id
         id: pr
         run: echo "::set-output name=id::$(<pr-id.txt)"
 
       - name: upload surge service
         id: deploy
         run: |
-          export DEPLOY_DOMAIN=https://ant-design-pro-preview-pr-${{ steps.pr.outputs.id }}.surge.sh # $ Alert[actions/code-injection/critical]
+          export DEPLOY_DOMAIN=https://ant-design-pro-preview-pr-${{ steps.pr.outputs.id }}.surge.sh
           npx surge --project ./ --domain $DEPLOY_DOMAIN --token ${{ secrets.SURGE_TOKEN }}

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning2.yml

@@ -16,8 +16,8 @@ jobs:
         with:
           name: README
 
-      - name: upload surge service # $ Source[actions/code-injection/critical]
+      - name: upload surge service
         id: deploy
         run: |
-          echo ${{ steps.pr.outputs.id }} # $ Alert[actions/code-injection/critical]
+          echo ${{ steps.pr.outputs.id }}
 

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning3.yml

@@ -38,7 +38,7 @@ jobs:
             });
             var fs = require('fs');
             fs.writeFileSync('${{github.workspace}}/input.zip', Buffer.from(download.data));
-      - name: Set needed env vars in outputs # $ Source[actions/code-injection/critical]
+      - name: Set needed env vars in outputs
         id: prepare
         run: |
           unzip input.zip
@@ -50,4 +50,4 @@ jobs:
           echo "PR: ${tmp}"
           echo "pr=${tmp}" >> $GITHUB_OUTPUT
 
-      - run: echo ${{ steps.prepare.outputs.pr }} # $ Alert[actions/code-injection/critical]
+      - run: echo ${{ steps.prepare.outputs.pr }}

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning4.yml

@@ -14,9 +14,9 @@ jobs:
             name: artifact
 
       # Save PR id to output
-      - name: Save artifact data # $ Source[actions/code-injection/critical]
+      - name: Save artifact data
         id: artifact
         run: echo "::set-output name=id::$(<artifact.txt)"
 
       - name: Use artifact
-        run: echo ${{ steps.artifact.outputs.id }}  # $ Alert[actions/code-injection/critical]
+        run: echo ${{ steps.artifact.outputs.id }} 

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning5.yml

@@ -13,11 +13,11 @@ jobs:
             name: artifact
 
       # Save PR id to output
-      - name: Save artifact data # $ Source[actions/code-injection/critical]
+      - name: Save artifact data
         id: artifact
         uses: juliangruber/read-file-action@v1
         with:
           path: ./artifact.txt
       - name: Use artifact
-        run: echo ${{ steps.artifact.outputs.content }}  # $ Alert[actions/code-injection/critical]
+        run: echo ${{ steps.artifact.outputs.content }} 
 

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning6.yml

@@ -12,13 +12,13 @@ jobs:
             run_id: ${{github.event.workflow_run.id}}
             name: artifact
 
-      - id: artifact # $ Source[actions/code-injection/critical]
+      - id: artifact
         run: |
           echo "::set-output name=pr_number::$(<artifact.txt)"
           mkdir firebase-android
           unzip firebase-android.zip -d firebase-android
       - name: Use artifact
-        run: echo ${{ steps.artifact.outputs.pr_number }}  # $ Alert[actions/code-injection/critical]
+        run: echo ${{ steps.artifact.outputs.pr_number }} 
 
       - id: artifact2
         run: |
@@ -26,5 +26,5 @@ jobs:
           mkdir firebase-android
           unzip firebase-android.zip -d firebase-android
       - name: Use artifact
-        run: echo ${{ steps.artifact2.outputs.pr_number }}  # $ Alert[actions/code-injection/critical]
+        run: echo ${{ steps.artifact2.outputs.pr_number }} 
 

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning7.yml

@@ -12,7 +12,7 @@ jobs:
             run_id: ${{github.event.workflow_run.id}}
             name: artifact
 
-      - id: artifact # $ Source[actions/code-injection/critical]
+      - id: artifact
         run: |
           set -eou pipefail
           pr_number=$(cat -e artifact.txt)
@@ -27,5 +27,5 @@ jobs:
           mkdir firebase-android
           unzip firebase-android.zip -d firebase-android
       - name: Use artifact
-        run: echo ${{ steps.artifact.outputs.pr_number }}  # $ Alert[actions/code-injection/critical]
+        run: echo ${{ steps.artifact.outputs.pr_number }} 
 

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning8.yml

@@ -14,9 +14,9 @@ jobs:
             name: artifact
 
       # Save PR id to output
-      - name: Save artifact data # $ Source[actions/code-injection/critical]
+      - name: Save artifact data
         id: artifact
         run: echo "::set-output name=id::$(<artifact.txt)"
 
       - name: Use artifact
-        run: echo ${{ steps.artifact.outputs.id }}  # $ Alert[actions/code-injection/critical]
+        run: echo ${{ steps.artifact.outputs.id }} 

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/changed-files.yml

@@ -15,9 +15,9 @@ jobs:
       - name: Get changed files 1
         id: changed-files1
         uses: tj-actions/changed-files@v40
-      - name: List all changed files 1 # $ Source[actions/code-injection/medium]
+      - name: List all changed files 1
         run: |
-          for file in ${{ steps.changed-files1.outputs.all_changed_files }}; do # $ Alert[actions/code-injection/medium]
+          for file in ${{ steps.changed-files1.outputs.all_changed_files }}; do
             echo "$file was changed"
           done
 
@@ -35,9 +35,9 @@ jobs:
         uses: tj-actions/changed-files@v41
         with:
           safe_output: false
-      - name: List all changed files 3 # $ Source[actions/code-injection/medium]
+      - name: List all changed files 3
         run: |
-          for file in ${{ steps.changed-files3.outputs.all_changed_files }}; do # $ Alert[actions/code-injection/medium]
+          for file in ${{ steps.changed-files3.outputs.all_changed_files }}; do
             echo "$file was changed"
           done
 
@@ -53,8 +53,8 @@ jobs:
       - name: Get changed files 5
         id: changed-files5
         uses: tj-actions/changed-files@95690f9ece77c1740f4a55b7f1de9023ed6b1f87 # v39.2.3
-      - name: List all changed files 5 # $ Source[actions/code-injection/medium]
+      - name: List all changed files 5
         run: |
-          for file in ${{ steps.changed-files5.outputs.all_changed_files }}; do # $ Alert[actions/code-injection/medium]
+          for file in ${{ steps.changed-files5.outputs.all_changed_files }}; do
             echo "$file was changed"
           done

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue.yml

@@ -6,25 +6,25 @@ jobs:
     steps:
     - run: |
         Foo
-        echo '${{ github.event.comment.body }}' # $ Alert[actions/code-injection/critical]
+        echo '${{ github.event.comment.body }}'
         Bar
 
   echo-chamber2:
     runs-on: ubuntu-latest
     steps:
-    - run: echo '${{ github.event.comment.body }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.issue.body }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.issue.title }}' # $ Alert[actions/code-injection/critical]
+    - run: echo '${{ github.event.comment.body }}'
+    - run: echo '${{ github.event.issue.body }}'
+    - run: echo '${{ github.event.issue.title }}'
 
   echo-chamber3:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/github-script@v3
       with:
-        script: console.log('${{ github.event.comment.body }}') # $ Alert[actions/code-injection/critical]
+        script: console.log('${{ github.event.comment.body }}')
     - uses: actions/github-script@v3
       with:
-        script: console.log('${{ github.event.issue.body }}') # $ Alert[actions/code-injection/critical]
+        script: console.log('${{ github.event.issue.body }}')
     - uses: actions/github-script@v3
       with:
-        script: console.log('${{ github.event.issue.title }}') # $ Alert[actions/code-injection/critical]
+        script: console.log('${{ github.event.issue.title }}')

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue_newline.yml

@@ -7,6 +7,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - run: |
-          LINE 1 echo '${{ github.event.comment.body }}' # $ Alert[actions/code-injection/critical]
-          LINE 2 echo '${{github.event.issue.body}}' # $ Alert[actions/code-injection/critical]
-          LINE 3 echo '${{ github.event.comment.body }}' # $ Alert[actions/code-injection/critical]
+          LINE 1 echo '${{ github.event.comment.body }}'
+          LINE 2 echo '${{github.event.issue.body}}'
+          LINE 3 echo '${{ github.event.comment.body }}'

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-3.yml

@@ -9,7 +9,7 @@ jobs:
       - uses: .github/actions/action5
         id: foo
         with:
-          taint: ${{ github.event.comment.body }} # $ Source[actions/code-injection/critical]
-      - run: echo "${{ steps.foo.outputs.result }}" # $ Alert[actions/code-injection/critical]
-      - run: echo "${{ steps.foo.outputs.result2 }}" # $ Alert[actions/code-injection/critical]
+          taint: ${{ github.event.comment.body }}
+      - run: echo "${{ steps.foo.outputs.result }}"
+      - run: echo "${{ steps.foo.outputs.result2 }}"
 

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-4.yml

@@ -11,8 +11,8 @@ jobs:
         id: clone
         uses: TestOrg/TestRepo/.github/actions/clone-repo@main
         with:
-          title: ${{ github.event.pull_request.title }} # $ Source[actions/code-injection/critical]
+          title: ${{ github.event.pull_request.title }}
           forked-pr: true
           fetch-depth: 2
-      - run: echo "${{ steps.clone.outputs.result }}" # $ Alert[actions/code-injection/critical]
+      - run: echo "${{ steps.clone.outputs.result }}"
 

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/cross3.yml

@@ -29,7 +29,7 @@ jobs:
       id: remove_quotations
       with:
         pattern: "\""
-        string: ${{github.event.commits[0].message}} # $ Source[actions/code-injection/medium]
+        string: ${{github.event.commits[0].message}}
         replace-with: "-"  
         flags: g
 
@@ -39,7 +39,7 @@ jobs:
           ISSUE_BODY_PARSED: ${{steps.remove_quotations.outputs.replaced}}
       id: check-info
       run: |
-        echo "destination_branch=$(pwsh .\\.github\\scripts\\cherry_pick_check.ps1 "${{ env.ISSUE_BODY_PARSED }}" )" >> $GITHUB_ENV # $ Alert[actions/code-injection/medium]
+        echo "destination_branch=$(pwsh .\\.github\\scripts\\cherry_pick_check.ps1 "${{ env.ISSUE_BODY_PARSED }}" )" >> $GITHUB_ENV
     
       #If a target branch was found will run the action
     - if: env.destination_branch != 'invalid'
@@ -50,7 +50,7 @@ jobs:
         git checkout -b ${{env.auto_branch}} origin/${{env.destination_branch}}
         git cherry-pick -x ${{github.event.after}} --strategy-option theirs
         git push -u origin ${{env.auto_branch}}
-        hub pull-request -b "${{env.destination_branch}}" -h "${{env.auto_branch}}" -m "${{env.pr_message}}" # $ Alert[actions/code-injection/medium]
+        hub pull-request -b "${{env.destination_branch}}" -h "${{env.auto_branch}}" -m "${{env.pr_message}}"
       env: 
         #Token used for the pull request. Corresponds to the DynamoBot account
         GITHUB_TOKEN: ${{secrets.DYNAMOBOTTOKEN}}

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion.yml

@@ -4,5 +4,5 @@ jobs:
   echo-chamber:
     runs-on: ubuntu-latest
     steps:
-    - run: echo '${{ github.event.discussion.title }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.discussion.body }}' # $ Alert[actions/code-injection/critical]
+    - run: echo '${{ github.event.discussion.title }}'
+    - run: echo '${{ github.event.discussion.body }}'

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion_comment.yml

@@ -4,6 +4,6 @@ jobs:
   echo-chamber:
     runs-on: ubuntu-latest
     steps:
-    - run: echo '${{ github.event.discussion.title }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.discussion.body }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.comment.body }}' # $ Alert[actions/code-injection/critical]
+    - run: echo '${{ github.event.discussion.title }}'
+    - run: echo '${{ github.event.discussion.body }}'
+    - run: echo '${{ github.event.comment.body }}'

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml

@@ -81,7 +81,7 @@ jobs:
           
           git push \
             "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \
-            'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}' # $ Alert[actions/code-injection/critical] Source[actions/code-injection/critical]
+            'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'
       env:
         BOT_PA_TOKEN: ${{ secrets.githubBotPAT }}
 
@@ -91,4 +91,4 @@ jobs:
       with:
         github-token: ${{ secrets.githubBotPAT }}
         script: |
-          const fileList = `${{ steps.git-commit.outputs.file-list }}` # $ Alert[actions/code-injection/critical]
+          const fileList = `${{ steps.git-commit.outputs.file-list }}`

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml

@@ -33,7 +33,7 @@ jobs:
       next_version: next
       link: '[#${{ github.event.number }}](https://github.com/fabricjs/fabric.js/pull/${{ github.event.number }})'
     steps:
-      - run: echo "${{ inputs.taint }}" # $ Alert[actions/code-injection/critical]
+      - run: echo "${{ inputs.taint }}"
       - uses: actions/checkout@v3
         with:
           ref: ${{ github.event.pull_request.head.ref }}
@@ -41,8 +41,8 @@ jobs:
         id: update
         uses: actions/github-script@v6
         env:
-          log: '- ${{ github.event.pull_request.title }} ${{ env.link }}\n' # $ Source[actions/code-injection/critical]
-          prev_log: '- ${{ github.event.changes.title.from }} ${{ env.link }}\n' # $ Source[actions/code-injection/critical]
+          log: '- ${{ github.event.pull_request.title }} ${{ env.link }}\n'
+          prev_log: '- ${{ github.event.changes.title.from }} ${{ env.link }}\n'
         with:
           result-encoding: string
           script: |
@@ -50,7 +50,7 @@ jobs:
             const file = './${{ env.file }}';
             let content = fs.readFileSync(file).toString();
             const title = '[${{ env.next_version }}]';
-            const log = '${{ env.log }}'; # $ Alert[actions/code-injection/critical]
+            const log = '${{ env.log }}';
             let exists = ${{ needs.changelog.result == 'success' }};
 
             if (!content.includes(title)) {
@@ -63,7 +63,7 @@ jobs:
 
             const insertAt = content.indexOf('\n', content.indexOf(title) + title.length + 1) + 1;
             if (exists && ${{ github.event.action == 'edited' }}) {
-                const prevLog = '${{ env.prev_log }}'; # $ Alert[actions/code-injection/critical]
+                const prevLog = '${{ env.prev_log }}';
                 const index = content.indexOf(prevLog, insertAt);
                 if (index > -1) {
                     content = content.slice(0, index) + content.slice(index + prevLog.length);

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/gollum.yml

@@ -4,8 +4,8 @@ jobs:
   echo-chamber:
     runs-on: ubuntu-latest
     steps:
-    - run: echo '${{ github.event.pages[1].title }}' # $ Alert[actions/code-injection/medium]
-    - run: echo '${{ github.event.pages[11].title }}' # $ Alert[actions/code-injection/medium]
-    - run: echo '${{ github.event.pages[0].page_name }}' # $ Alert[actions/code-injection/medium]
-    - run: echo '${{ github.event.pages[2222].page_name }}' # $ Alert[actions/code-injection/medium]
+    - run: echo '${{ github.event.pages[1].title }}'
+    - run: echo '${{ github.event.pages[11].title }}'
+    - run: echo '${{ github.event.pages[0].page_name }}'
+    - run: echo '${{ github.event.pages[2222].page_name }}'
     - run: echo '${{ toJSON(github.event.pages.*.title) }}' # safe

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/image_link_generator.yml

@@ -15,7 +15,7 @@ jobs:
       - name: Extract and Clean Initial URL
         id: extract-url
         env:
-          BODY: ${{ github.event.comment.body }} # $ Source[actions/code-injection/critical]
+          BODY: ${{ github.event.comment.body }}
         run: |
           echo "::set-output name=initial_url::$BODY"
 
@@ -34,4 +34,4 @@ jobs:
 
       - name: Update Comment with New URL
         run: |
-          NEW_COMMENT_BODY="Use this link to include this asset in your changelog: ${{ steps.trim-url.outputs.trimmed_url }}" # $ Alert[actions/code-injection/critical]
+          NEW_COMMENT_BODY="Use this link to include this asset in your changelog: ${{ steps.trim-url.outputs.trimmed_url }}"

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml

@@ -23,7 +23,7 @@ jobs:
         id: source 
         uses: tj-actions/changed-files@v40
 
-      - name: Remove foo from changed files # $ Source[actions/code-injection/medium]
+      - name: Remove foo from changed files
         id: step
         uses: mad9000/actions-find-and-replace-string@3
         with:
@@ -40,4 +40,4 @@ jobs:
 
     steps:
       - id: sink
-        run: echo ${{needs.job1.outputs.job_output}} # $ Alert[actions/code-injection/medium]
+        run: echo ${{needs.job1.outputs.job_output}}

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job1.yml

@@ -23,7 +23,7 @@ jobs:
         id: source 
         uses: tj-actions/changed-files@v40
 
-      - name: Remove foo from changed files # $ Source[actions/code-injection/medium]
+      - name: Remove foo from changed files
         id: step
         uses: mad9000/actions-find-and-replace-string@3
         with:
@@ -40,4 +40,4 @@ jobs:
 
     steps:
       - id: sink
-        run: echo ${{needs.job1.outputs.job_output}} # $ Alert[actions/code-injection/medium]
+        run: echo ${{needs.job1.outputs.job_output}}

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job2.yml

@@ -23,7 +23,7 @@ jobs:
         id: source 
         uses: tj-actions/changed-files@v40
 
-      - name: Remove foo from changed files # $ Source[actions/code-injection/medium]
+      - name: Remove foo from changed files
         id: step
         uses: mad9000/actions-find-and-replace-string@3
         with:
@@ -42,4 +42,4 @@ jobs:
 
     steps:
       - id: sink
-        run: echo ${{needs.job1.outputs.job_output}} # $ Alert[actions/code-injection/medium]
+        run: echo ${{needs.job1.outputs.job_output}}

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job4.yml

@@ -23,7 +23,7 @@ jobs:
         id: source 
         uses: tj-actions/changed-files@v40
 
-      - name: Remove foo from changed files # $ Source[actions/code-injection/medium]
+      - name: Remove foo from changed files
         id: step
         uses: mad9000/actions-find-and-replace-string@3
         with:
@@ -41,4 +41,4 @@ jobs:
 
     steps:
       - id: sink
-        run: echo ${{needs.job1.outputs.job_output}} # $ Alert[actions/code-injection/medium]
+        run: echo ${{needs.job1.outputs.job_output}}

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job5.yml

@@ -42,4 +42,4 @@ jobs:
     steps:
       - id: sink
         # Should not be reported since job1 is not needed
-        run: echo ${{needs.job1.outputs.job_output}} # $ Alert[actions/code-injection/medium]
+        run: echo ${{needs.job1.outputs.job_output}}

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/issues.yaml

@@ -1,20 +1,20 @@
 on: issues
 
 env:
-  global_env: ${{ github.event.issue.title }} # $ Source[actions/code-injection/critical]
+  global_env: ${{ github.event.issue.title }}
   test: test
 
 jobs:
   echo-chamber:
     env:
-      job_env: ${{ github.event.issue.title }} # $ Source[actions/code-injection/critical]
+      job_env: ${{ github.event.issue.title }}
     runs-on: ubuntu-latest
     steps:
-    - run: echo '${{ github.event.issue.title }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.issue.body }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ env.global_env }}' # $ Alert[actions/code-injection/critical]
+    - run: echo '${{ github.event.issue.title }}'
+    - run: echo '${{ github.event.issue.body }}'
+    - run: echo '${{ env.global_env }}'
     - run: echo '${{ env.test }}'
-    - run: echo '${{ env.job_env }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ env.step_env }}' # $ Alert[actions/code-injection/critical]
+    - run: echo '${{ env.job_env }}'
+    - run: echo '${{ env.step_env }}'
       env:
-        step_env: ${{ github.event.issue.title }} # $ Source[actions/code-injection/critical]
+        step_env: ${{ github.event.issue.title }}

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/json_wrap.yml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.event.comment.body == '/jira ticket' }}
     steps:
-      - run: echo ${{ github.event.comment.body }} # $ Alert[actions/code-injection/critical]
+      - run: echo ${{ github.event.comment.body }}
 
       - name: Login
         uses: atlassian/gajira-login@v3
@@ -20,7 +20,7 @@ jobs:
           JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }}
 
       - name: SearchParam
-        run: echo 'summary ~ ${{ toJSON(github.event.issue.title)}} AND project=${{ secrets.JIRA_PROJECT }}' # $ Alert[actions/code-injection/critical]
+        run: echo 'summary ~ ${{ toJSON(github.event.issue.title)}} AND project=${{ secrets.JIRA_PROJECT }}'
 
       - name: Search
         id: search

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/level0.yml

@@ -41,7 +41,7 @@ jobs:
         run: |
           echo "Checking issue body for profanities..."
           PROFANITIES_LIST="bad|disguting|horrible"
-          if echo "${{ github.event.issue.body }}" | grep -qiE "$PROFANITIES_LIST"; then # $ Alert[actions/code-injection/critical]
+          if echo "${{ github.event.issue.body }}" | grep -qiE "$PROFANITIES_LIST"; then
             echo "Profanity detected in issue body. Please clean up the language."
             exit 1
           else
@@ -66,7 +66,7 @@ jobs:
         uses: actions/github-script@v5
         with:
           script: |
-            const commentBody = "${{ github.event.comment.body }}"; # $ Alert[actions/code-injection/critical]
+            const commentBody = "${{ github.event.comment.body }}";
             let response;
             if (commentBody.includes("hello")) {
               response = "Hello! How can I help you today?";

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/level1.yml

@@ -34,4 +34,4 @@ jobs:
           pr-message: 'Message that will be displayed on users first pr'
       - name: Log test executions
         run: |
-          echo "Lint ran for branch ${{ github.event.workflow_run.head_branch }} in a PR from ${{ github.actor }}. Please check the logs for more information." # $ Alert[actions/code-injection/critical]
+          echo "Lint ran for branch ${{ github.event.workflow_run.head_branch }} in a PR from ${{ github.actor }}. Please check the logs for more information."

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/priv_pull_request.yml

@@ -11,4 +11,4 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - run: echo "${{ github.event.pull_request.body }}" # $ Alert[actions/code-injection/medium]
+      - run: echo "${{ github.event.pull_request.body }}"

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review.yml

@@ -4,11 +4,11 @@ jobs:
   echo-chamber:
     runs-on: ubuntu-latest
     steps:
-    - run: echo '${{ github.event.pull_request.title }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.pull_request.body }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.pull_request.head.label }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.pull_request.head.repo.default_branch }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.pull_request.head.repo.description }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.pull_request.head.repo.homepage }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.pull_request.head.ref }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.review.body }}' # $ Alert[actions/code-injection/critical]
+    - run: echo '${{ github.event.pull_request.title }}'
+    - run: echo '${{ github.event.pull_request.body }}'
+    - run: echo '${{ github.event.pull_request.head.label }}'
+    - run: echo '${{ github.event.pull_request.head.repo.default_branch }}'
+    - run: echo '${{ github.event.pull_request.head.repo.description }}'
+    - run: echo '${{ github.event.pull_request.head.repo.homepage }}'
+    - run: echo '${{ github.event.pull_request.head.ref }}'
+    - run: echo '${{ github.event.review.body }}'

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review_comment.yml

@@ -4,11 +4,11 @@ jobs:
   echo-chamber:
     runs-on: ubuntu-latest
     steps:
-    - run: echo '${{ github.event.pull_request.title }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.pull_request.body }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.pull_request.head.label }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.pull_request.head.repo.default_branch }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.pull_request.head.repo.description }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.pull_request.head.repo.homepage }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.pull_request.head.ref }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.comment.body }}' # $ Alert[actions/code-injection/critical]
+    - run: echo '${{ github.event.pull_request.title }}'
+    - run: echo '${{ github.event.pull_request.body }}'
+    - run: echo '${{ github.event.pull_request.head.label }}'
+    - run: echo '${{ github.event.pull_request.head.repo.default_branch }}'
+    - run: echo '${{ github.event.pull_request.head.repo.description }}'
+    - run: echo '${{ github.event.pull_request.head.repo.homepage }}'
+    - run: echo '${{ github.event.pull_request.head.ref }}'
+    - run: echo '${{ github.event.comment.body }}'

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml

@@ -6,12 +6,12 @@ jobs:
     steps:
     - run: echo '${{ github.event.issue.title }}' # not defined for this trigger, so we should not report it
     - run: echo '${{ github.event.issue.body }}' # not defined for this trigger, so we should not report it
-    - run: echo '${{ github.event.pull_request.title }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.pull_request.body }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.pull_request.head.label }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.pull_request.head.repo.default_branch }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.pull_request.head.repo.description }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.pull_request.head.repo.homepage }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.pull_request.head.ref }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.head_ref }}' # $ Alert[actions/code-injection/critical]
+    - run: echo '${{ github.event.pull_request.title }}'
+    - run: echo '${{ github.event.pull_request.body }}'
+    - run: echo '${{ github.event.pull_request.head.label }}'
+    - run: echo '${{ github.event.pull_request.head.repo.default_branch }}'
+    - run: echo '${{ github.event.pull_request.head.repo.description }}'
+    - run: echo '${{ github.event.pull_request.head.repo.homepage }}'
+    - run: echo '${{ github.event.pull_request.head.ref }}'
+    - run: echo '${{ github.head_ref }}'
 

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/push.yml

@@ -4,13 +4,13 @@ jobs:
   echo-chamber:
     runs-on: ubuntu-latest
     steps:
-    - run: echo '${{ github.event.commits[11].message }}' # $ Alert[actions/code-injection/medium]
-    - run: echo '${{ github.event.commits[11].author.email }}' # $ Alert[actions/code-injection/medium]
-    - run: echo '${{ github.event.commits[11].author.name }}' # $ Alert[actions/code-injection/medium]
-    - run: echo '${{ github.event.head_commit.message }}' # $ Alert[actions/code-injection/medium]
-    - run: echo '${{ github.event.head_commit.author.email }}' # $ Alert[actions/code-injection/medium]
-    - run: echo '${{ github.event.head_commit.author.name }}' # $ Alert[actions/code-injection/medium]
-    - run: echo '${{ github.event.head_commit.committer.email }}' # $ Alert[actions/code-injection/medium]
-    - run: echo '${{ github.event.head_commit.committer.name }}' # $ Alert[actions/code-injection/medium]
-    - run: echo '${{ github.event.commits[11].committer.email }}' # $ Alert[actions/code-injection/medium]
-    - run: echo '${{ github.event.commits[11].committer.name }}' # $ Alert[actions/code-injection/medium]
+    - run: echo '${{ github.event.commits[11].message }}'
+    - run: echo '${{ github.event.commits[11].author.email }}'
+    - run: echo '${{ github.event.commits[11].author.name }}'
+    - run: echo '${{ github.event.head_commit.message }}'
+    - run: echo '${{ github.event.head_commit.author.email }}'
+    - run: echo '${{ github.event.head_commit.author.name }}'
+    - run: echo '${{ github.event.head_commit.committer.email }}'
+    - run: echo '${{ github.event.head_commit.committer.name }}'
+    - run: echo '${{ github.event.commits[11].committer.email }}'
+    - run: echo '${{ github.event.commits[11].committer.name }}'